@pikku/inspector 0.12.20 → 0.12.22

package/CHANGELOG.md

@@ -1,3 +1,34 @@
+## 0.12.22
+
+### Patch Changes
+
+- 06234a9: Fix DSL `Promise.all` fanout silently failing to register its child RPC (causing a runtime "Function not found").
+
+  Two distinct causes are addressed:
+  - A fanout/group captured into a variable (`const results = await Promise.all(array.map(e => workflow.do(...)))`) was dropped entirely, because the `const`-declaration path had no `Promise.all` branch — fanout handling only ran on the bare/assignment path. The declaration path now extracts fanout and parallel groups too.
+  - `extractStringLiteral` threw on a `+` concatenation with a non-static operand (e.g. `'Enrich ' + (e.id ?? e.name)`), unlike a template literal (`` `Enrich ${e.id ?? e.name}` ``) which never threw. The throw was uncaught while scanning workflow invocations and aborted the run. The `+` branch now falls back to `${...}` placeholders to match template literals, and a step's cosmetic display name can no longer block RPC registration.
+
+- 8e72c93: Exclude `node_modules` from inspector source scanning. A locally-installed addon (under the project's `node_modules`) is a dependency, not project source — scanning it double-counted the addon's own application types (`CoreConfig`/`CoreServices`/`CoreSingletonServices`) and failed `pikku all` with "More than one … found". Addons still contribute via their generated metadata, not by being re-scanned as source.
+- 6645e7a: Add a severity model for coded diagnostics so security findings can surface without blocking the dev server.
+  - `InspectorLogger` gains `diagnostic({ severity, code, message })` (`severity: 'warn' | 'error' | 'critical'`). `critical(code, message)` is now sugar for `diagnostic({ severity: 'critical', ... })`.
+  - The CLI fails the build only on `critical` diagnostics by default. New global flags `--fail-on-error` and `--fail-on-warn` (implies `--fail-on-error`) opt into stricter gating; `--fail-on-critical` is always on.
+  - Data-classification leaks (`PKU910`) are now emitted at `error` severity instead of `critical`. They are still printed, but no longer abort `pikku all` / the dev server — pass `--fail-on-error` (e.g. at deploy) to make them blocking and recommend a fix.
+  - Contract-immutability drift (`PKU861`) during `pikku versions update` (run inside `pikku all`) no longer calls `process.exit(1)`. It is surfaced as an `error` diagnostic and skips saving the manifest, so a stale baseline can't crash-loop the dev server. `pikku versions check` remains the hard gate, and `--fail-on-error` makes `pikku all` block on it at deploy.
+
+- Updated dependencies [6bca38f]
+  - @pikku/core@0.12.35
+
+## 0.12.21
+
+### Patch Changes
+
+- ef50347: Tree-shake the better-auth server out of non-auth units.
+  - `@pikku/better-auth`: add `betterAuthStatelessSession()` — a session middleware that verifies the signed better-auth cookie cache via `better-auth/cookies` (`getCookieCache`) using only `BETTER_AUTH_SECRET`, with no `services.auth()`, DB round-trip, or full server import. Mark the package `sideEffects: false` so unused barrel re-exports drop.
+  - `@pikku/cli`: when `session.cookieCache` is enabled in the better-auth config, generate the stateless session middleware into a separate `auth-middleware.gen.ts` and wire it globally, keeping the full `/api/auth/**` server only in the auth unit. Deploy artifacts (esbuild metafile + sourcemap) are now off by default; `--debug-artifacts` re-enables them.
+  - `@pikku/inspector`: ensure the orphan `auth-middleware.gen.ts` (imported by nothing) is still inspected so its global `addHTTPMiddleware('*')` registration is not dropped.
+
+  Net effect: a non-auth unit carries ~22KB (cookie-verify floor) instead of the full ~1.25MB better-auth backend.
+
 ## 0.12.20
 
 ### Patch Changes

package/dist/add/add-auth.js

@@ -136,10 +136,24 @@ export const addAuth = (logger, node, _checker, state) => {
     // Find the inner betterAuth({...}) call to read providers/basePath/credentials.
     let basePath = DEFAULT_BASE_PATH;
     let hasCredentials = false;
+    let cookieCache = false;
     const betterAuthCall = findBetterAuthCall(factory);
     const config = betterAuthCall?.arguments[0];
     if (config && ts.isObjectLiteralExpression(config)) {
         basePath = readStringProp(config, 'basePath') ?? DEFAULT_BASE_PATH;
+        // Detect `session.cookieCache.enabled` → drives the stateless middleware split.
+        const session = readObjectProp(config, 'session');
+        if (session) {
+            const cookieCacheBlock = readObjectProp(session, 'cookieCache');
+            if (cookieCacheBlock) {
+                const enabledProp = cookieCacheBlock.properties.find((p) => ts.isPropertyAssignment(p) &&
+                    (ts.isIdentifier(p.name) || ts.isStringLiteral(p.name)) &&
+                    p.name.text === 'enabled');
+                cookieCache =
+                    !enabledProp ||
+                        enabledProp.initializer.kind !== ts.SyntaxKind.FalseKeyword;
+            }
+        }
         const emailAndPassword = readObjectProp(config, 'emailAndPassword');
         if (emailAndPassword) {
             // `emailAndPassword: { enabled: true }` — treat a present block without an
@@ -182,6 +196,7 @@ export const addAuth = (logger, node, _checker, state) => {
         sourceFile,
         basePath,
         hasCredentials,
+        cookieCache,
         plugins: [...state.auth.plugins],
         services,
     };

package/dist/add/add-cli.js

@@ -7,6 +7,7 @@ import { getPropertyValue } from '../utils/get-property-value.js';
 import { resolveIdentifier } from '../utils/resolve-identifier.js';
 import { resolveAddonName } from '../utils/resolve-addon-package.js';
 import { validateAuthSessionless } from '../utils/validate-auth-sessionless.js';
+import { extractServicesFromFunction } from '../utils/extract-services.js';
 // Track if we've warned about missing Config type to avoid duplicate warnings
 const configTypeWarningShown = new Set();
 /**
@@ -628,7 +629,7 @@ function parseCommandPattern(pattern) {
 export const addCLIRenderers = (logger, node, typeChecker, inspectorState, options) => {
     if (!ts.isCallExpression(node))
         return;
-    const { expression, arguments: args, typeArguments } = node;
+    const { expression, arguments: args } = node;
     // Only handle pikkuCLIRender calls
     if (!ts.isIdentifier(expression) || expression.text !== 'pikkuCLIRender') {
         return;
@@ -640,27 +641,12 @@ export const addCLIRenderers = (logger, node, typeChecker, inspectorState, optio
     // Get the source file path
     const sourceFile = node.getSourceFile();
     const filePath = sourceFile.fileName;
-    // Extract services from type parameters (second type param is Services)
-    const services = {
-        optimized: true,
-        services: [],
-    };
-    if (typeArguments && typeArguments.length >= 2) {
-        // Second type parameter is the Services type
-        const servicesTypeNode = typeArguments[1];
-        if (servicesTypeNode) {
-            const servicesType = typeChecker.getTypeFromTypeNode(servicesTypeNode);
-            // Extract property names from the Services type
-            const properties = servicesType.getProperties();
-            for (const prop of properties) {
-                services.services.push(prop.getName());
-            }
-            // If no specific services found, it might be using the full services object
-            if (properties.length === 0) {
-                services.optimized = false;
-            }
-        }
-    }
+    // Renderer service usage is defined by the callback's first parameter shape,
+    // the same way function/auth service usage is tracked elsewhere in the inspector.
+    const renderFunc = args[0];
+    const services = ts.isArrowFunction(renderFunc) || ts.isFunctionExpression(renderFunc)
+        ? extractServicesFromFunction(renderFunc)
+        : { optimized: true, services: [] };
     // Store renderer metadata
     inspectorState.cli.meta.renderers[pikkuFuncId] = {
         name: pikkuFuncId,

package/dist/add/add-functions.js

@@ -660,16 +660,24 @@ export const addFunctions = (logger, node, checker, state, options) => {
                 .filter((f) => f.classification === 'private' || f.classification === 'pii')
                 .map((f) => f.path);
             if (secretPaths.length > 0) {
-                logger.critical(ErrorCode.PII_IN_OUTPUT, `Function '${name}' exposes secret-classified field(s) in its return type: ` +
-                    secretPaths.map((p) => `'${p}'`).join(', ') +
-                    `.\n  Secret fields must never appear in function output. ` +
-                    `Strip these fields before returning or change the column classification.`);
+                logger.diagnostic({
+                    severity: 'error',
+                    code: ErrorCode.PII_IN_OUTPUT,
+                    message: `Function '${name}' exposes secret-classified field(s) in its return type: ` +
+                        secretPaths.map((p) => `'${p}'`).join(', ') +
+                        `.\n  Secret fields must never appear in function output. ` +
+                        `Strip these fields before returning or change the column classification.`,
+                });
             }
             if (sessionless && privatePaths.length > 0) {
-                logger.critical(ErrorCode.PII_IN_OUTPUT, `Sessionless function '${name}' exposes private-classified field(s) in its return type: ` +
-                    privatePaths.map((p) => `'${p}'`).join(', ') +
-                    `.\n  Private fields are only safe to return from authenticated (sessioned) functions. ` +
-                    `Either require a session (use pikkuFunc) or mark the column @public if it is safe to expose publicly.`);
+                logger.diagnostic({
+                    severity: 'error',
+                    code: ErrorCode.PII_IN_OUTPUT,
+                    message: `Sessionless function '${name}' exposes private-classified field(s) in its return type: ` +
+                        privatePaths.map((p) => `'${p}'`).join(', ') +
+                        `.\n  Private fields are only safe to return from authenticated (sessioned) functions. ` +
+                        `Either require a session (use pikkuFunc) or mark the column @public if it is safe to expose publicly.`,
+                });
             }
         }
     }

package/dist/add/add-workflow.js

@@ -5,6 +5,20 @@ import { ErrorCode } from '../error-codes.js';
 import { extractStringLiteral, isStringLike, isFunctionLike, extractDescription, extractDuration, } from '../utils/extract-node-value.js';
 import { getCommonWireMetaData, getPropertyValue, } from '../utils/get-property-value.js';
 import { extractDSLWorkflow } from '../utils/workflow/dsl/extract-dsl-workflow.js';
+import { getSourceText } from '../utils/workflow/dsl/patterns.js';
+/**
+ * Extract a workflow step's display name without letting a non-static name
+ * (e.g. a function call) abort the scan. The step name is cosmetic, so a
+ * resolution failure must never prevent the RPC from being registered.
+ */
+function extractStepName(node, checker) {
+    try {
+        return extractStringLiteral(node, checker);
+    }
+    catch {
+        return getSourceText(node);
+    }
+}
 /**
  * Recursively check if any step has inline type (non-serializable)
  */
@@ -89,7 +103,7 @@ function getWorkflowInvocations(node, checker, state, workflowName, steps) {
                     const stepNameArg = args[0];
                     const secondArg = args[1];
                     const optionsArg = args.length >= 4 ? args[args.length - 1] : undefined;
-                    const stepName = extractStringLiteral(stepNameArg, checker);
+                    const stepName = extractStepName(stepNameArg, checker);
                     const description = extractDescription(optionsArg, checker) ?? undefined;
                     // Determine form by checking 2nd argument type
                     if (isStringLike(secondArg, checker)) {
@@ -115,7 +129,7 @@ function getWorkflowInvocations(node, checker, state, workflowName, steps) {
                     // workflow.sleep(stepName, duration)
                     const stepNameArg = args[0];
                     const durationArg = args[1];
-                    const stepName = extractStringLiteral(stepNameArg, checker);
+                    const stepName = extractStepName(stepNameArg, checker);
                     const duration = extractDuration(durationArg, checker);
                     steps.push({
                         type: 'sleep',

package/dist/error-codes.d.ts

@@ -59,3 +59,15 @@ export declare enum ErrorCode {
     WORKFLOW_MULTI_QUEUE_NOT_SUPPORTED = "PKU901",
     PII_IN_OUTPUT = "PKU910"
 }
+/**
+ * Severity of a tracked, coded diagnostic. `critical` always blocks the build;
+ * `error`/`warn` only block when the CLI is told to via `--fail-on-error` /
+ * `--fail-on-warn` (default: critical only). All severities are still printed.
+ */
+export type DiagnosticSeverity = 'warn' | 'error' | 'critical';
+/** A coded diagnostic emitted via `logger.diagnostic(...)`. */
+export interface CodedDiagnostic {
+    severity: DiagnosticSeverity;
+    code: ErrorCode;
+    message: string;
+}

package/dist/index.d.ts

@@ -3,6 +3,7 @@ export type { TypesMap } from './types-map.js';
 export type * from './types.js';
 export type { FilesAndMethodsErrors } from './utils/get-files-and-methods.js';
 export { ErrorCode } from './error-codes.js';
+export type { DiagnosticSeverity, CodedDiagnostic } from './error-codes.js';
 export { AUTH_HANDLER_FUNC_ID } from './add/add-auth.js';
 export { serializeInspectorState, deserializeInspectorState, } from './utils/serialize-inspector-state.js';
 export type { SerializableInspectorState } from './utils/serialize-inspector-state.js';

package/dist/inspector.js

@@ -209,9 +209,13 @@ export const inspect = async (logger, routeFiles, options = {}) => {
     // Use provided rootDir or infer from source files
     const rootDir = options.rootDir || findCommonAncestor(routeFiles);
     const startSourceFiles = performance.now();
+    // node_modules under rootDir (e.g. a locally-installed addon) is a
+    // dependency, not project source — scanning it double-counts the addon's
+    // own application types (CoreConfig/Services/SingletonServices).
     const sourceFiles = program
         .getSourceFiles()
-        .filter((sf) => sf.fileName.startsWith(rootDir));
+        .filter((sf) => sf.fileName.startsWith(rootDir) &&
+        !sf.fileName.includes('/node_modules/'));
     logger.debug(`Got source files in ${(performance.now() - startSourceFiles).toFixed(2)}ms`);
     const state = getInitialInspectorState(rootDir);
     // First sweep: add all functions

package/dist/types.d.ts

@@ -16,7 +16,7 @@ import type { VariableDefinitions } from '@pikku/core/variable';
 import type { TypesMap } from './types-map.js';
 import type { FunctionsMeta, FunctionServicesMeta, FunctionWiresMeta, JSONValue } from '@pikku/core';
 import type { OpenAPISpecInfo } from './utils/serialize-openapi-json.js';
-import type { ErrorCode } from './error-codes.js';
+import type { ErrorCode, CodedDiagnostic } from './error-codes.js';
 import type { VersionManifest, VersionValidateError } from './utils/contract-hashes.js';
 import type { SerializedWorkflowGraphs } from './utils/workflow/graph/workflow-graph.types.js';
 export type PathToNameAndType = Map<string, {
@@ -192,6 +192,15 @@ export interface InspectorLogger {
     error: (message: string) => void;
     warn: (message: string) => void;
     debug: (message: string) => void;
+    /**
+     * Emit a tracked, coded diagnostic. It is recorded and printed; `error`/`warn`
+     * only block the build when the CLI is run with `--fail-on-error` /
+     * `--fail-on-warn` (default: critical only). Use this for issues worth
+     * surfacing (e.g. data-classification leaks) that should not stop the dev
+     * server from starting.
+     */
+    diagnostic: (diagnostic: CodedDiagnostic) => void;
+    /** Sugar for `diagnostic({ severity: 'critical', code, message })`. */
     critical: (code: ErrorCode, message: string) => void;
     hasCriticalErrors: () => boolean;
 }
@@ -263,6 +272,9 @@ export interface AuthDefinition {
      *  `auth-meta.gen.json` so the console SSO page can show which plugins are
      *  enabled. */
     plugins: string[];
+    /** Whether `session.cookieCache` is enabled — drives the stateless session
+     * middleware split in the auth codegen. Absent/false ⇒ stateful middleware. */
+    cookieCache?: boolean;
     /**
      * Singleton services the generated auth handler must have available at
      * runtime — the services the `pikkuBetterAuth` factory reaches for (either

package/dist/utils/extract-node-value.js

@@ -26,8 +26,8 @@ export function extractStringLiteral(node, checker) {
     }
     if (ts.isBinaryExpression(node) &&
         node.operatorToken.kind === ts.SyntaxKind.PlusToken) {
-        return (extractStringLiteral(node.left, checker) +
-            extractStringLiteral(node.right, checker));
+        return (extractConcatOperand(node.left, checker) +
+            extractConcatOperand(node.right, checker));
     }
     // Try to evaluate constant identifiers
     if (ts.isIdentifier(node)) {
@@ -42,6 +42,23 @@ export function extractStringLiteral(node, checker) {
     }
     throw new Error('Unable to extract string literal from node');
 }
+/**
+ * Resolve one operand of a `+` string concatenation.
+ *
+ * An operand that can't be statically resolved (e.g. `a ?? b`) becomes a
+ * `${...}` placeholder rather than throwing — mirroring the TemplateExpression
+ * branch above, so `'x ' + expr` and `` `x ${expr}` `` produce the same string.
+ * This keeps an unresolvable display name from aborting the whole extraction.
+ */
+function extractConcatOperand(node, checker) {
+    try {
+        return extractStringLiteral(node, checker);
+    }
+    catch {
+        const inner = ts.isParenthesizedExpression(node) ? node.expression : node;
+        return '${' + inner.getText() + '}';
+    }
+}
 /**
  * Check if node is string-like (string literal or template expression)
  */

package/dist/utils/workflow/dsl/extract-dsl-workflow.js

@@ -255,6 +255,21 @@ function extractVariableDeclaration(statement, context) {
                 return step;
             }
         }
+        // Promise.all fanout/group captured into a variable
+        // (const results = await Promise.all(array.map(...)))
+        if (isParallelFanout(call) || isParallelGroup(call)) {
+            const step = isParallelFanout(call)
+                ? extractParallelFanout(call, context)
+                : extractParallelGroup(call, context);
+            if (step) {
+                const type = context.checker.getTypeAtLocation(decl);
+                context.outputVars.set(varName, { type, node: decl });
+                if (isArrayType(type, context.checker)) {
+                    context.arrayVars.add(varName);
+                }
+                return step;
+            }
+        }
     }
     // Check for array.filter(...)
     if (ts.isCallExpression(init)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pikku/inspector",
-  "version": "0.12.20",
+  "version": "0.12.22",
   "author": "yasser.fadl@gmail.com",
   "license": "BUSL-1.1",
   "type": "module",
@@ -35,7 +35,8 @@
   },
   "dependencies": {
     "@openapi-contrib/json-schema-to-openapi-schema": "^4.3.1",
-    "@pikku/core": "^0.12.32",
+    "@pikku/core": "^0.12.35",
+    "openapi-types": "^12.1.3",
     "path-to-regexp": "^8.3.0",
     "ts-json-schema-generator": "^2.5.0",
     "tsx": "^4.21.0",

package/src/add/add-auth.test.ts

@@ -13,6 +13,9 @@ const makeLogger = (criticals: Array<{ code: ErrorCode; message: string }>) =>
     info: () => {},
     warn: () => {},
     error: () => {},
+    diagnostic: ({ code, message }) => {
+      criticals.push({ code, message })
+    },
     critical: (code: ErrorCode, message: string) => {
       criticals.push({ code, message })
     },
@@ -50,6 +53,7 @@ describe('addAuth inspector', () => {
         sourceFile: file,
         basePath: '/api/auth',
         hasCredentials: false,
+        cookieCache: false,
         plugins: [],
         services: { optimized: true, services: [] },
       })
@@ -95,6 +99,88 @@ describe('addAuth inspector', () => {
     }
   })
 
+  test('detects session.cookieCache for the stateless middleware split', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-cookiecache-'))
+    const file = join(rootDir, 'auth.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { pikkuBetterAuth } from '@pikku/better-auth'",
+        "import { betterAuth } from 'better-auth'",
+        'export const auth = pikkuBetterAuth(() =>',
+        '  betterAuth({',
+        '    session: { cookieCache: { enabled: true } },',
+        "    emailAndPassword: { enabled: true },",
+        '  })',
+        ')',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.equal(criticals.length, 0)
+      assert.equal(state.auth.definition?.cookieCache, true)
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('cookieCache: { enabled: false } does not enable the stateless split', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-nocache-'))
+    const file = join(rootDir, 'auth.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { pikkuBetterAuth } from '@pikku/better-auth'",
+        "import { betterAuth } from 'better-auth'",
+        'export const auth = pikkuBetterAuth(() =>',
+        '  betterAuth({',
+        '    session: { cookieCache: { enabled: false } },',
+        '  })',
+        ')',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.equal(criticals.length, 0)
+      assert.equal(state.auth.definition?.cookieCache, false)
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('cookieCache: { "enabled": false } (string-literal key) is honoured', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-strkey-'))
+    const file = join(rootDir, 'auth.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { pikkuBetterAuth } from '@pikku/better-auth'",
+        "import { betterAuth } from 'better-auth'",
+        'export const auth = pikkuBetterAuth(() =>',
+        '  betterAuth({',
+        '    session: { cookieCache: { "enabled": false } },',
+        '  })',
+        ')',
+      ].join('\n')
+    )
+
+    const criticals: Array<{ code: ErrorCode; message: string }> = []
+    try {
+      const state = await inspect(makeLogger(criticals), [file], { rootDir })
+      assert.equal(criticals.length, 0)
+      assert.equal(state.auth.definition?.cookieCache, false)
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
   test('extracts plugin ids from the betterAuth plugins array', async () => {
     const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-auth-plugins-'))
     const file = join(rootDir, 'auth.ts')

package/src/add/add-auth.ts

@@ -188,12 +188,30 @@ export const addAuth: AddWiring = (logger, node, _checker, state) => {
   // Find the inner betterAuth({...}) call to read providers/basePath/credentials.
   let basePath = DEFAULT_BASE_PATH
   let hasCredentials = false
+  let cookieCache = false
   const betterAuthCall = findBetterAuthCall(factory)
   const config = betterAuthCall?.arguments[0]
 
   if (config && ts.isObjectLiteralExpression(config)) {
     basePath = readStringProp(config, 'basePath') ?? DEFAULT_BASE_PATH
 
+    // Detect `session.cookieCache.enabled` → drives the stateless middleware split.
+    const session = readObjectProp(config, 'session')
+    if (session) {
+      const cookieCacheBlock = readObjectProp(session, 'cookieCache')
+      if (cookieCacheBlock) {
+        const enabledProp = cookieCacheBlock.properties.find(
+          (p) =>
+            ts.isPropertyAssignment(p) &&
+            (ts.isIdentifier(p.name) || ts.isStringLiteral(p.name)) &&
+            p.name.text === 'enabled'
+        ) as ts.PropertyAssignment | undefined
+        cookieCache =
+          !enabledProp ||
+          enabledProp.initializer.kind !== ts.SyntaxKind.FalseKeyword
+      }
+    }
+
     const emailAndPassword = readObjectProp(config, 'emailAndPassword')
     if (emailAndPassword) {
       // `emailAndPassword: { enabled: true }` — treat a present block without an
@@ -244,6 +262,7 @@ export const addAuth: AddWiring = (logger, node, _checker, state) => {
     sourceFile,
     basePath,
     hasCredentials,
+    cookieCache,
     plugins: [...state.auth.plugins],
     services,
   }

package/src/add/add-cli-renderers.test.ts

@@ -0,0 +1,74 @@
+import { strict as assert } from 'assert'
+import { describe, test } from 'node:test'
+import { mkdtemp, rm, writeFile } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { inspect } from '../inspector.js'
+import type { InspectorLogger } from '../types.js'
+
+const makeLogger = () =>
+  ({
+    debug: () => {},
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    diagnostic: () => {},
+    critical: () => {},
+    hasCriticalErrors: () => false,
+  }) satisfies InspectorLogger
+
+describe('addCLIRenderers inspector', () => {
+  test('extracts destructured renderer services from the callback param', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-cli-renderer-'))
+    const file = join(rootDir, 'cli.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireCLI, pikkuCLIRender } from '@pikku/core/cli'",
+        'export const render = pikkuCLIRender(({ logger }, data) => {',
+        '  logger.info(data.message)',
+        '})',
+        "wireCLI({ program: 'pikku', render, commands: {} })",
+      ].join('\n')
+    )
+
+    try {
+      const state = await inspect(makeLogger(), [file], { rootDir })
+      assert.deepEqual(state.cli.meta.renderers['render'], {
+        name: 'render',
+        exportedName: 'render',
+        services: { optimized: true, services: ['logger'] },
+        filePath: file,
+      })
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+
+  test('marks non-destructured renderer services as unoptimized', async () => {
+    const rootDir = await mkdtemp(join(tmpdir(), 'pikku-add-cli-renderer-all-'))
+    const file = join(rootDir, 'cli.ts')
+
+    await writeFile(
+      file,
+      [
+        "import { wireCLI, pikkuCLIRender } from '@pikku/core/cli'",
+        'export const render = pikkuCLIRender((services, data) => {',
+        '  services.logger.info(data.message)',
+        '})',
+        "wireCLI({ program: 'pikku', render, commands: {} })",
+      ].join('\n')
+    )
+
+    try {
+      const state = await inspect(makeLogger(), [file], { rootDir })
+      assert.deepEqual(state.cli.meta.renderers['render']?.services, {
+        optimized: false,
+        services: [],
+      })
+    } finally {
+      await rm(rootDir, { recursive: true, force: true })
+    }
+  })
+})

package/src/add/add-cli.ts

@@ -18,6 +18,7 @@ import { getPropertyValue } from '../utils/get-property-value.js'
 import { resolveIdentifier } from '../utils/resolve-identifier.js'
 import { resolveAddonName } from '../utils/resolve-addon-package.js'
 import { validateAuthSessionless } from '../utils/validate-auth-sessionless.js'
+import { extractServicesFromFunction } from '../utils/extract-services.js'
 
 // Track if we've warned about missing Config type to avoid duplicate warnings
 const configTypeWarningShown = new Set<string>()
@@ -924,7 +925,7 @@ export const addCLIRenderers: AddWiring = (
 ) => {
   if (!ts.isCallExpression(node)) return
 
-  const { expression, arguments: args, typeArguments } = node
+  const { expression, arguments: args } = node
 
   // Only handle pikkuCLIRender calls
   if (!ts.isIdentifier(expression) || expression.text !== 'pikkuCLIRender') {
@@ -944,30 +945,13 @@ export const addCLIRenderers: AddWiring = (
   const sourceFile = node.getSourceFile()
   const filePath = sourceFile.fileName
 
-  // Extract services from type parameters (second type param is Services)
-  const services: { optimized: boolean; services: string[] } = {
-    optimized: true,
-    services: [],
-  }
-
-  if (typeArguments && typeArguments.length >= 2) {
-    // Second type parameter is the Services type
-    const servicesTypeNode = typeArguments[1]
-    if (servicesTypeNode) {
-      const servicesType = typeChecker.getTypeFromTypeNode(servicesTypeNode)
-
-      // Extract property names from the Services type
-      const properties = servicesType.getProperties()
-      for (const prop of properties) {
-        services.services.push(prop.getName())
-      }
-
-      // If no specific services found, it might be using the full services object
-      if (properties.length === 0) {
-        services.optimized = false
-      }
-    }
-  }
+  // Renderer service usage is defined by the callback's first parameter shape,
+  // the same way function/auth service usage is tracked elsewhere in the inspector.
+  const renderFunc = args[0]
+  const services =
+    ts.isArrowFunction(renderFunc) || ts.isFunctionExpression(renderFunc)
+      ? extractServicesFromFunction(renderFunc)
+      : { optimized: true, services: [] }
 
   // Store renderer metadata
   inspectorState.cli.meta.renderers[pikkuFuncId] = {