@lenne.tech/cli 1.24.1 → 1.26.0

package/build/lib/hoist-workspace-pnpm-config.js

@@ -1,6 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.hoistWorkspacePnpmConfig = hoistWorkspacePnpmConfig;
+const fs_1 = require("fs");
+const js_yaml_1 = require("js-yaml");
 /**
  * pnpm workspace-scoped fields that must live at the workspace root.
  * When present in sub-project package.json files, pnpm emits:
@@ -15,6 +17,16 @@ exports.hoistWorkspacePnpmConfig = hoistWorkspacePnpmConfig;
  * and the actual dependency-resolution behavior.
  */
 const WORKSPACE_SCOPED_PNPM_FIELDS = ['overrides', 'onlyBuiltDependencies', 'ignoredOptionalDependencies'];
+/**
+ * pnpm 11 renamed `onlyBuiltDependencies` (string array) to `allowBuilds`
+ * (a `{ pkg: boolean }` map). A migrated sub-project pnpm-workspace.yaml
+ * usually carries BOTH for cross-version compatibility, but we must not
+ * rely on the array twin always being present: we normalise `allowBuilds`
+ * back into `onlyBuiltDependencies` before hoisting (see
+ * `normalizeAllowBuilds`) so the build-allowlist survives into the pnpm-10
+ * monorepo root even when the file only carries the pnpm-11 object form.
+ */
+const PNPM11_BUILD_KEY = 'allowBuilds';
 /**
  * Hoist workspace-scoped pnpm config from sub-projects into the root
  * package.json. After this runs, sub-project package.json files no
@@ -22,6 +34,27 @@ const WORKSPACE_SCOPED_PNPM_FIELDS = ['overrides', 'onlyBuiltDependencies', 'ign
  * `ignoredOptionalDependencies`, and the root package.json contains
  * the merged union.
  *
+ * Two sources are read per sub-project, because the two starters store
+ * their pnpm config differently:
+ *
+ *   1. `<sub>/package.json` `pnpm` block — nest-server-starter, and
+ *      nuxt-base-template before its pnpm-11 migration.
+ *   2. `<sub>/pnpm-workspace.yaml` — nuxt-base-template after the
+ *      migration. pnpm 11 silently ignores the `pnpm` block in
+ *      package.json, so the template moved overrides into
+ *      pnpm-workspace.yaml. Inside a monorepo that nested file would
+ *      (a) not be hoisted by the old package.json-only logic, regressing
+ *      the CVE overrides, and (b) declare a nested workspace root that
+ *      conflicts with the monorepo's own pnpm-workspace.yaml. We hoist
+ *      its fields into the root package.json (the lt-monorepo root pins
+ *      pnpm@10 via `packageManager`, where package.json#pnpm IS honored)
+ *      and remove the now-redundant nested file.
+ *
+ * Symlinked sub-projects are skipped entirely: in `--frontend-link` /
+ * `--api-link` mode `projects/app` (or `projects/api`) points at the
+ * user's local framework checkout, and stripping its config or deleting
+ * its pnpm-workspace.yaml would corrupt that source repo.
+ *
  * Idempotent: running twice has the same effect as running once.
  *
  * @param options.filesystem  Gluegun filesystem tool
@@ -38,36 +71,106 @@ function hoistWorkspacePnpmConfig(options) {
     if (!rootPkg)
         return;
     (_a = rootPkg.pnpm) !== null && _a !== void 0 ? _a : (rootPkg.pnpm = {});
+    const rootPnpm = rootPkg.pnpm;
     let rootChanged = false;
     for (const subDir of subProjects) {
-        const subPkgPath = `${projectDir}/${subDir}/package.json`;
-        if (!filesystem.exists(subPkgPath))
+        const subPath = `${projectDir}/${subDir}`;
+        if (!filesystem.exists(subPath))
             continue;
-        const subPkg = filesystem.read(subPkgPath, 'json');
-        if (!(subPkg === null || subPkg === void 0 ? void 0 : subPkg.pnpm))
+        // Never mutate a symlinked sub-project — it points at the user's own
+        // checkout in link mode.
+        if (isSymlink(subPath))
             continue;
-        let subChanged = false;
-        for (const field of WORKSPACE_SCOPED_PNPM_FIELDS) {
-            const subValue = subPkg.pnpm[field];
-            if (subValue === undefined)
-                continue;
-            rootPkg.pnpm[field] = mergePnpmFieldValue(field, rootPkg.pnpm[field], subValue);
+        if (hoistFromSubPackageJson({ filesystem, rootPnpm, subPath })) {
             rootChanged = true;
-            delete subPkg.pnpm[field];
-            subChanged = true;
         }
-        if (subChanged) {
-            // If the sub-project's pnpm section is now empty, drop it entirely.
-            if (subPkg.pnpm && Object.keys(subPkg.pnpm).length === 0) {
-                delete subPkg.pnpm;
-            }
-            filesystem.write(subPkgPath, `${JSON.stringify(subPkg, null, 2)}\n`);
+        if (hoistFromSubWorkspaceYaml({ filesystem, rootPnpm, subPath })) {
+            rootChanged = true;
         }
     }
     if (rootChanged) {
         filesystem.write(rootPkgPath, `${JSON.stringify(rootPkg, null, 2)}\n`);
     }
 }
+/**
+ * Move the workspace-scoped pnpm fields from `source` into `rootPnpm`,
+ * deleting each moved field from `source`. Returns true if anything moved.
+ */
+function hoistFields(rootPnpm, source) {
+    let changed = false;
+    for (const field of WORKSPACE_SCOPED_PNPM_FIELDS) {
+        if (source[field] === undefined)
+            continue;
+        rootPnpm[field] = mergePnpmFieldValue(field, rootPnpm[field], source[field]);
+        delete source[field];
+        changed = true;
+    }
+    return changed;
+}
+/** Source 1: the sub-project's package.json `pnpm` block. */
+function hoistFromSubPackageJson(options) {
+    const { filesystem, rootPnpm, subPath } = options;
+    const subPkgPath = `${subPath}/package.json`;
+    if (!filesystem.exists(subPkgPath))
+        return false;
+    const subPkg = filesystem.read(subPkgPath, 'json');
+    if (!(subPkg === null || subPkg === void 0 ? void 0 : subPkg.pnpm))
+        return false;
+    if (!hoistFields(rootPnpm, subPkg.pnpm))
+        return false;
+    // If the sub-project's pnpm section is now empty, drop it entirely.
+    if (Object.keys(subPkg.pnpm).length === 0) {
+        delete subPkg.pnpm;
+    }
+    filesystem.write(subPkgPath, `${JSON.stringify(subPkg, null, 2)}\n`);
+    return true;
+}
+/** Source 2: the sub-project's pnpm-workspace.yaml (pnpm-11 layout). */
+function hoistFromSubWorkspaceYaml(options) {
+    const { filesystem, rootPnpm, subPath } = options;
+    const subWsPath = `${subPath}/pnpm-workspace.yaml`;
+    if (!filesystem.exists(subWsPath))
+        return false;
+    const raw = filesystem.read(subWsPath);
+    if (!raw)
+        return false;
+    let parsed;
+    try {
+        parsed = (0, js_yaml_1.load)(raw);
+    }
+    catch (_a) {
+        // Malformed YAML — leave it untouched rather than risk data loss.
+        return false;
+    }
+    if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed))
+        return false;
+    const ws = parsed;
+    // Fold the pnpm-11 `allowBuilds` map into `onlyBuiltDependencies` so it is
+    // hoisted rather than discarded — even when the array twin is absent.
+    normalizeAllowBuilds(ws);
+    if (!hoistFields(rootPnpm, ws))
+        return false;
+    // A settings-only file (no `packages:`) exists solely to carry these
+    // hoisted keys — once emptied it would only declare a nested workspace
+    // root, so remove it. A file that declares `packages:` is a real (rare)
+    // nested workspace; keep it minus the hoisted keys.
+    if (Array.isArray(ws.packages) && ws.packages.length > 0) {
+        filesystem.write(subWsPath, (0, js_yaml_1.dump)(ws));
+    }
+    else {
+        filesystem.remove(subWsPath);
+    }
+    return true;
+}
+/** Whether `path` is a symbolic link (false on any stat error). */
+function isSymlink(path) {
+    try {
+        return (0, fs_1.lstatSync)(path).isSymbolicLink();
+    }
+    catch (_a) {
+        return false;
+    }
+}
 /**
  * Merge two values for a pnpm workspace-scoped field.
  *
@@ -95,3 +198,26 @@ function mergePnpmFieldValue(field, rootValue, subValue) {
     const merged = Object.assign(Object.assign({}, rootObj), subObj);
     return Object.fromEntries(Object.entries(merged).sort(([a], [b]) => a.localeCompare(b)));
 }
+/**
+ * Fold a pnpm-11 `allowBuilds: { pkg: boolean }` map into the pnpm-10
+ * `onlyBuiltDependencies: string[]` form (packages whose value is `true`),
+ * unioned with any existing array, then remove the `allowBuilds` key so the
+ * redundant object form does not linger. Mutates `ws` in place.
+ *
+ * No-op when `allowBuilds` is absent or not an object map — an unexpected
+ * shape is left untouched rather than risk silent data loss.
+ */
+function normalizeAllowBuilds(ws) {
+    const raw = ws[PNPM11_BUILD_KEY];
+    if (!raw || typeof raw !== 'object' || Array.isArray(raw))
+        return;
+    const allowed = Object.entries(raw)
+        .filter(([, enabled]) => enabled === true)
+        .map(([pkg]) => pkg);
+    if (allowed.length > 0) {
+        const existing = Array.isArray(ws.onlyBuiltDependencies) ? ws.onlyBuiltDependencies : [];
+        // Order here is irrelevant — mergePnpmFieldValue sorts the union on hoist.
+        ws.onlyBuiltDependencies = Array.from(new Set([...allowed, ...existing]));
+    }
+    delete ws[PNPM11_BUILD_KEY];
+}

package/build/lib/package-name.js

@@ -0,0 +1,99 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isUnmodifiedTemplateName = isUnmodifiedTemplateName;
+exports.renameUnmodifiedTemplatePackage = renameUnmodifiedTemplatePackage;
+exports.setPackageName = setPackageName;
+const path_1 = require("path");
+const dev_identity_1 = require("./dev-identity");
+/**
+ * package.json `name` values that are unchanged starter-template defaults.
+ *
+ * When a user clones a template manually (`git clone lenneTech/lt-monorepo
+ * my-project`) instead of running `lt fullstack init`, the `name` field
+ * stays at the template's default. That field is what
+ * `dev-identity#projectSlug` reads to derive `<slug>.localhost`, so every
+ * cloned project would collide on `https://lt-monorepo.localhost`.
+ *
+ * `lt fullstack init` rewrites this field already (see `setPackageName`);
+ * the detection here is the safety net for projects that bypassed init.
+ */
+const UNMODIFIED_TEMPLATE_NAMES = new Set(['lt-monorepo']);
+/**
+ * True when `name` matches a known unmodified starter template default.
+ */
+function isUnmodifiedTemplateName(name) {
+    return typeof name === 'string' && UNMODIFIED_TEMPLATE_NAMES.has(name);
+}
+/**
+ * If the package.json at `<projectRoot>/package.json` still carries an
+ * unmodified starter-template `name` (e.g. `lt-monorepo` from a raw
+ * `git clone`), rewrite it to the directory basename — which is what the
+ * user actually called their project when they cloned the folder.
+ *
+ * Returns the new name if a rewrite happened, `null` otherwise. Reasons
+ * for `null`: missing/unreadable package.json, name already custom, or the
+ * directory basename itself is in the deny list (pathological case of a
+ * fresh clone into a literal `lt-monorepo` folder — leaving the file
+ * untouched is correct behaviour there).
+ *
+ * Idempotent — safe to call from every `lt dev init` invocation.
+ */
+function renameUnmodifiedTemplatePackage(options) {
+    const { filesystem, projectRoot } = options;
+    const packageJsonPath = filesystem.path(projectRoot, 'package.json');
+    if (!filesystem.exists(packageJsonPath))
+        return null;
+    const pkg = filesystem.read(packageJsonPath, 'json');
+    if (!pkg || typeof pkg !== 'object' || Array.isArray(pkg))
+        return null;
+    const currentName = typeof pkg.name === 'string' ? pkg.name : null;
+    if (!isUnmodifiedTemplateName(currentName))
+        return null;
+    // Slugify the directory basename: npm names must be lowercase and
+    // URL-safe, and this keeps the rewritten value consistent with what
+    // `lt fullstack init` writes (which kebab-cases its --name arg) and
+    // with `dev-identity#projectSlug` (which slugifies whatever it reads
+    // back). Anything else would produce a slug mismatch between
+    // package.json and `<slug>.localhost`.
+    const derived = (0, dev_identity_1.slugify)((0, path_1.basename)(projectRoot));
+    if (!derived || isUnmodifiedTemplateName(derived))
+        return null;
+    const written = setPackageName({ filesystem, name: derived, packageJsonPath });
+    return written ? derived : null;
+}
+/**
+ * Set the `name` field of a package.json on disk.
+ *
+ * Used by `lt fullstack init` to rename the cloned monorepo's root package
+ * so each project gets a unique `lt dev` slug (the slug is derived from
+ * package.json `name`; without a rename every lt-monorepo-based project would
+ * register as `lt-monorepo` and collide on `https://lt-monorepo.localhost`).
+ *
+ * IMPORTANT: this reads/writes the file as parsed JSON rather than running a
+ * string regex through `patching.update`. Gluegun's `patching.update` hands
+ * the callback a *parsed object* for any `.json` file, so a String-based
+ * `content.replace(...)` callback throws `content.replace is not a function`
+ * at runtime. Going through parsed JSON here is both correct and robust: it
+ * adds a `name` field if one is missing instead of silently no-op'ing.
+ *
+ * Idempotent: if the name already equals `name`, the file is left untouched
+ * and the function returns false.
+ *
+ * @param options.filesystem      Gluegun filesystem tool
+ * @param options.name            New value for the `name` field
+ * @param options.packageJsonPath Absolute path to the package.json
+ * @returns true if the file was written, false otherwise (missing/unreadable/unchanged)
+ */
+function setPackageName(options) {
+    const { filesystem, name, packageJsonPath } = options;
+    if (!filesystem.exists(packageJsonPath))
+        return false;
+    const pkg = filesystem.read(packageJsonPath, 'json');
+    if (!pkg || typeof pkg !== 'object' || Array.isArray(pkg))
+        return false;
+    if (pkg.name === name)
+        return false;
+    pkg.name = name;
+    filesystem.write(packageJsonPath, `${JSON.stringify(pkg, null, 2)}\n`);
+    return true;
+}

package/docs/commands.md

@@ -312,10 +312,13 @@ One-time per-machine setup. Idempotent — re-run anytime to diagnose what's mis
 **Usage:**
 ```bash
 lt dev install
+lt dev install --skip-init   # do NOT auto-run `lt dev init` afterwards
 ```
 
 **Alias:** `lt d i`
 
+**Auto-chaining:** when run from inside an lt-dev-capable project that is not yet initialized, `lt dev install` runs `lt dev init` for that project **afterwards**. Pass `--skip-init` to opt out. This is one hop deep and never recurses — `install` calls the init *helper*, not the init command.
+
 **What it does:**
 1. Verifies `caddy` is on PATH (suggests `brew install caddy` if missing).
 2. Creates `~/.lenneTech/Caddyfile` stub if absent.
@@ -355,16 +358,19 @@ lt dev uninstall --noConfirm  # skip the purge prompt (keep files)
 
 ---
 
-### `lt dev migrate`
+### `lt dev init`
 
-Register an existing project with `lt dev` and apply idempotent env-aware patches. Safe to run multiple times; safe to run after `lt fullstack init`.
+Initialize an existing project for `lt dev` and apply idempotent env-aware patches. Safe to run multiple times; safe to run after `lt fullstack init`.
 
 **Usage:**
 ```bash
-lt dev migrate
+lt dev init
+lt dev init --skip-install   # do NOT auto-run `lt dev install` first
 ```
 
-**Alias:** `lt d m`
+**Alias:** `lt d init`, `lt d migrate`, `lt d m` (`migrate` is the former name, kept for backwards compatibility)
+
+**Auto-chaining:** if the machine has not been prepared yet (no `lt dev install` has run), `lt dev init` runs the install step **first**, then initializes the project. Pass `--skip-install` to opt out. This is one hop deep and never recurses — `init` calls the install *helper*, not the install command.
 
 **What it does:**
 1. Detects the workspace layout (monorepo `projects/api`+`projects/app`, or standalone).
@@ -538,7 +544,7 @@ lt dev test -- --ui spec.ts      # everything after `--` is forwarded to playwri
 | `LT_DEV_ACTIVE`, `LT_DEV_DB_NAME` | Marker keys for consumers |
 | `NODE_EXTRA_CA_CERTS` | Path to Caddy's root CA cert (auto-detected) |
 
-`lt dev migrate` injects a tiny `// >>> lt-dev:bridge >>>` block at the top of `playwright.config.ts` that loads this file at config-load time — making Playwright (CLI, IDE, VS Code extension) automatically use the `lt dev` URLs and trust the local CA, without inheriting the parent shell.
+`lt dev init` injects a tiny `// >>> lt-dev:bridge >>>` block at the top of `playwright.config.ts` that loads this file at config-load time — making Playwright (CLI, IDE, VS Code extension) automatically use the `lt dev` URLs and trust the local CA, without inheriting the parent shell.
 
 `lt dev down` removes the bridge file so subsequent runs without `lt dev up` fall back cleanly to the classic `localhost:3000`/`localhost:3001` defaults.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/cli",
-  "version": "1.24.1",
+  "version": "1.26.0",
   "description": "lenne.Tech CLI: lt",
   "keywords": [
     "lenne.Tech",
@@ -32,6 +32,8 @@
     "test:vendor-init": "bash scripts/test-vendor-init.sh",
     "test:frontend-vendor-init": "bash scripts/test-frontend-vendor-init.sh",
     "test:incremental-fullstack": "bash scripts/test-incremental-fullstack.sh",
+    "test:manual": "jest --testMatch '<rootDir>/*.manual.ts' --testTimeout=60000",
+    "test:e2e:service": "jest --testMatch '<rootDir>/dev-service-e2e.manual.ts' --testTimeout=60000",
     "format": "prettier --write 'src/**/*.{js,ts,tsx,json}' '!src/templates/**/*'",
     "lint": "eslint './src/**/*.{ts,js,vue}'",
     "lint:fix": "eslint './src/**/*.{ts,js,vue}' --fix",
@@ -58,9 +60,9 @@
     "bin"
   ],
   "dependencies": {
-    "@aws-sdk/client-s3": "3.1045.0",
+    "@aws-sdk/client-s3": "3.1053.0",
     "@lenne.tech/cli-plugin-helper": "0.0.14",
-    "axios": "1.16.0",
+    "axios": "1.16.1",
     "bcrypt": "6.0.0",
     "defuddle": "0.18.1",
     "glob": "13.0.6",
@@ -70,7 +72,7 @@
     "jsdom": "29.1.1",
     "lodash": "4.18.1",
     "open": "11.0.0",
-    "playwright-core": "1.59.1",
+    "playwright-core": "1.60.0",
     "ts-morph": "28.0.0",
     "ts-node": "10.9.2",
     "turndown": "7.2.4",
@@ -85,7 +87,7 @@
     "@types/js-yaml": "4.0.9",
     "@types/jsdom": "28.0.1",
     "@types/lodash": "4.17.24",
-    "@types/node": "25.6.2",
+    "@types/node": "25.9.1",
     "@types/turndown": "5.0.6",
     "ejs": "5.0.2",
     "eslint": "9.39.4",
@@ -94,18 +96,23 @@
     "prettier": "3.8.3",
     "rimraf": "6.1.3",
     "standard-version": "9.5.0",
-    "ts-jest": "29.4.9"
+    "ts-jest": "29.4.11"
   },
   "//overrides": {
-    "semver@*": "Force latest semver across all sub-deps; gluegun@5.2.2 pins semver@7.7.0 which is stale - remove once gluegun updates its dep."
+    "brace-expansion@5.0.2 - 5.0.5": "Security fix: GHSA-jxxr-4gwj-5jf2 (large numeric range defeats max DoS protection) in brace-expansion 5.0.2-5.0.5 - transitive via minimatch under glob, @ts-morph/common, @typescript-eslint/typescript-estree. Remove once those parents resolve minimatch to a brace-expansion >=5.0.6.",
+    "semver@*": "Force latest semver 7.x across all sub-deps; gluegun@5.2.2 pins semver@7.7.0 which is stale - remove once gluegun updates its dep."
   },
   "overrides": {
-    "semver@*": "7.7.4"
+    "brace-expansion@5.0.2 - 5.0.5": "5.0.6",
+    "semver@*": "7.8.1"
   },
   "jest": {
     "testEnvironment": "node",
     "rootDir": "__tests__",
     "testTimeout": 60000,
+    "testMatch": [
+      "<rootDir>/*.test.ts"
+    ],
     "transform": {
       "^.+\\.tsx?$": [
         "ts-jest",