jscpd-rs 0.1.1 → 0.1.3

package/CHANGELOG.md

@@ -1,5 +1,30 @@
 # Changelog
 
+## 0.1.3 - 2026-06-01
+
+### Changed
+
+- Tighten GitHub Release publication gates: npm and crates.io publication now
+  run the release-candidate gate before publishing.
+- Block the main npm package publication if any configured prebuilt platform
+  package is missing or failed to publish.
+- Add a core coverage gate to the release-candidate flow.
+- Add an advisory server benchmark for comparing native and upstream
+  `/api/check` latency.
+- Refresh npm, prebuilt-binary, release-readiness, and README documentation for
+  the prebuilt-first install path.
+
+## 0.1.2 - 2026-06-01
+
+### Changed
+
+- Rename the Windows prebuilt npm package to `jscpd-rs-win` to avoid npm
+  registry spam-policy false positives on the previous machine-generated name.
+- Move the Linux arm64 prebuilt build to the Ubuntu 22.04 ARM runner for a more
+  stable native ARM publication path and older glibc baseline.
+- Allow npm release workflow reruns for a single prebuilt target without
+  republishing the already-published main package.
+
 ## 0.1.1 - 2026-06-01
 
 ### Added

package/Cargo.lock

@@ -483,7 +483,7 @@ checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
 
 [[package]]
 name = "jscpd-rs"
-version = "0.1.1"
+version = "0.1.3"
 dependencies = [
  "anyhow",
  "axum",

package/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "jscpd-rs"
-version = "0.1.1"
+version = "0.1.3"
 edition = "2024"
 rust-version = "1.93"
 license = "MIT"
@@ -20,6 +20,7 @@ include = [
     "/examples/**",
     "/skills/**",
     "/src/**",
+    "/tests/**",
 ]
 
 [[bin]]

package/README.md

@@ -48,7 +48,7 @@ npx jscpd-rs .
 Current npm packaging note: `jscpd-rs` installs prebuilt Linux, macOS, and
 Windows binaries where available, then falls back to building from source with
 Cargo for unsupported platforms. The original `0.1.0` npm package was
-source-build only; use `0.1.1+` for the prebuilt-first path. See
+source-build only; use `0.1.2+` for the full prebuilt-first path. See
 [docs/prebuilt-binaries.md](docs/prebuilt-binaries.md).
 
 From this repository:
@@ -138,7 +138,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: dtolnay/rust-toolchain@stable
       - uses: actions/setup-node@v5
         with:
           node-version: 22
@@ -235,11 +234,20 @@ Latest recorded public benchmark baseline for duplicate-code detection:
 Reproduce the public benchmark and coverage suite:
 
 ```bash
-PUBLIC=1 PUBLIC_RUNS=3 scripts/release-gate.sh
+scripts/release-candidate.sh
+```
+
+Benchmark native server snippet checks against upstream:
+
+```bash
+RUNS=20 scripts/bench-server.sh
 ```
 
 Release-candidate workflows rerun the public suite before each new publication
-so README numbers stay tied to a concrete commit and gate output.
+and enforce the core coverage gate, so README numbers stay tied to a concrete
+commit and gate output. The public release gate fails below a 45x speedup on
+the default benchmark cases to prevent silent performance regressions while
+preserving room for normal runner noise.
 
 ## Library API
 
@@ -319,6 +327,19 @@ scripts/compat-reporters.sh
 STRICT=coverage scripts/compat-matrix.sh
 ```
 
+Rust code coverage is optional and intentionally kept out of the default fast
+gate:
+
+```bash
+cargo install cargo-llvm-cov --locked
+SUMMARY=1 scripts/coverage.sh
+SCOPE=core SUMMARY=1 scripts/coverage.sh
+SCOPE=core FAIL_UNDER_LINES=93 scripts/coverage.sh
+```
+
+Black-box behavior tests that exercise the public API live in `tests/`. Small
+private-helper tests stay next to the module they protect.
+
 Known upstream bug candidates and intentional compatibility exceptions are
 tracked in [docs/upstream-bugs.md](docs/upstream-bugs.md). GitHub-ready issue
 drafts are prepared in
@@ -332,6 +353,9 @@ Fast local gate:
 scripts/release-gate.sh
 ```
 
+The fast gate includes `cargo fmt`, `cargo test`, shell syntax checks,
+`shellcheck`, package/install checks, and the focused compatibility gates.
+
 Package/install gate:
 
 ```bash
@@ -353,7 +377,7 @@ FULL=1 scripts/release-gate.sh
 Public benchmark and coverage gate:
 
 ```bash
-PUBLIC=1 PUBLIC_RUNS=3 scripts/release-gate.sh
+scripts/release-candidate.sh
 ```
 
 Release candidate gate:

package/docs/migrating-from-jscpd.md

@@ -127,7 +127,7 @@ These are intentional first-release limits:
   tokenizer is needed;
 - the Rust crate exposes a native Rust API, not the upstream JavaScript package
   API;
-- `jscpd-rs@0.1.1+` npm packaging uses prebuilt binaries on supported Linux,
+- `jscpd-rs@0.1.2+` npm packaging uses prebuilt binaries on supported Linux,
   macOS, and Windows targets, with a Cargo source-build fallback for
   unsupported platforms. The original `0.1.0` npm package was source-build
   only.
@@ -192,7 +192,7 @@ npm/npx-based `jscpd-rs` CI:
 - run: npx jscpd-rs src --reporters console,json --threshold 5 --exitCode 1
 ```
 
-`jscpd-rs@0.1.1+` npm installs use prebuilt binaries where available and fall
+`jscpd-rs@0.1.2+` npm installs use prebuilt binaries where available and fall
 back to Cargo source-build on unsupported platforms. The original `0.1.0` npm
 package still needs Rust available during installation; see the
 [prebuilt binary distribution plan](prebuilt-binaries.md).

package/docs/npm-release.md

@@ -3,15 +3,17 @@
 Current npm readiness snapshot:
 
 - Date: 2026-06-01.
-- Baseline commit: `e343350`; rerun `scripts/npm-package-check.sh` on the
-  exact checkout before npm publish.
-- GitHub Actions `release-gate`: passed on run `26743839098`.
-- Local checks passed: `cargo test`, `scripts/package-check.sh`,
-  `scripts/npm-package-check.sh`, local `npx --no-install` smoke for
-  `jscpd-rs`, `jscpd`, and `jscpd-server`.
-- Package name status: `npm view jscpd-rs version` returned `E404`.
-- Packed artifact audit: `jscpd-rs-0.1.0.tgz`, 96 files, about 169 KiB packed,
-  about 708 KiB unpacked.
+- Current published version: `jscpd-rs@0.1.3`.
+- Latest npm publish workflow: `v0.1.3` GitHub Release workflow.
+- Published platform packages: `jscpd-rs-linux-x64-gnu`,
+  `jscpd-rs-linux-arm64-gnu`, `jscpd-rs-darwin-x64`,
+  `jscpd-rs-darwin-arm64`, and `jscpd-rs-win`.
+- Post-publication smoke passed from clean temporary directories:
+  `npm install jscpd-rs@0.1.3`, `jscpd-rs --version`, `jscpd --version`,
+  `jscpd-server --version`, and
+  `npx --package jscpd-rs@0.1.3 jscpd-rs --version`.
+- Rerun `scripts/npm-package-check.sh` on the exact checkout before publishing
+  any new npm version.
 
 The npm package is `jscpd-rs`. It exposes these bin commands:
 
@@ -19,7 +21,7 @@ The npm package is `jscpd-rs`. It exposes these bin commands:
 - `jscpd`: installed alias for the native `jscpd` CLI.
 - `jscpd-server`: installed alias for the native server binary.
 
-`jscpd-rs@0.1.1+` publishes prebuilt platform packages before the main
+`jscpd-rs@0.1.2+` publishes prebuilt platform packages before the main
 `jscpd-rs` package. The CLI behavior stays the same, and the source-build path
 remains the fallback for unsupported platforms. The original `0.1.0` package
 was source-build only; see the
@@ -57,7 +59,7 @@ Before actual publication, run:
 git status --short
 npm whoami
 scripts/npm-package-check.sh
-npm view jscpd-rs version
+npm view jscpd-rs@X.Y.Z version
 ```
 
 For a new version, `npm view jscpd-rs@X.Y.Z version` should fail before the
@@ -70,14 +72,8 @@ crate and GitHub tag have already been published: that script is the full
 Cargo/GitHub first-publication gate and intentionally checks that the crate name
 and release tag are still available.
 
-If the package name is still free and the npm account is logged in:
-
-```bash
-scripts/npm-package-check.sh
-npm publish --access public
-```
-
-If the account requires a one-time password for publish:
+If an emergency manual fallback is approved and the npm account requires a
+one-time password for publish:
 
 ```bash
 npm publish --access public --otp 123456
@@ -97,11 +93,17 @@ This repository provides a publish workflow:
 ```
 
 The workflow runs automatically when a non-draft, non-prerelease GitHub Release
-is published. It checks out the release tag, verifies that the tag matches the
-`package.json` version, verifies that the main npm version is not already
-published, builds platform packages in a native runner matrix, publishes those
-platform packages first, runs `scripts/npm-package-check.sh`, and then
-publishes the main `jscpd-rs` package.
+is published. It checks out the release tag, runs `scripts/release-candidate.sh`
+as a preflight, verifies that the tag matches the `package.json` version,
+verifies that the main npm version is not already published, builds platform
+packages in a native runner matrix, publishes those platform packages first,
+verifies that every optional platform package exists for the release version,
+runs `scripts/npm-package-check.sh`, and then publishes the main `jscpd-rs`
+package.
+
+The main package is blocked when any configured platform package fails or is
+missing. For a target-only rerun, set `publish_main=false`; using `target` with
+`publish_main=true` is rejected by the workflow.
 
 It can also be run manually from GitHub Actions as a fallback by entering
 `jscpd-rs` in the confirmation input.
@@ -127,13 +129,15 @@ Then publish automatically from GitHub:
 4. Create and publish a GitHub Release with tag `vX.Y.Z`.
 5. GitHub Actions will run `npm-publish` from that release tag.
 
-Manual fallback:
+Manual workflow fallback:
 
 1. Open GitHub Actions.
 2. Select the `npm-publish` workflow.
 3. Click **Run workflow** on `main`.
 4. Enter `jscpd-rs` for `package_name`.
-5. Run the workflow.
+5. Optionally enter a single target key such as `linux-arm64-gnu` and set
+   `publish_main=false` when only one prebuilt package needs a rerun.
+6. Run the workflow.
 
 If npm does not allow Trusted Publishing configuration before a platform package
 version exists, add a short-lived `NPM_TOKEN` GitHub secret for the first

package/docs/prebuilt-binaries.md

@@ -1,6 +1,6 @@
 # Prebuilt Binary Distribution
 
-`jscpd-rs` is a native Rust CLI. Starting with `jscpd-rs@0.1.1`, npm
+`jscpd-rs` is a native Rust CLI. Starting with `jscpd-rs@0.1.2`, npm
 distribution uses a small main package plus platform-specific optional
 packages. The original `0.1.0` npm package was source-build only.
 
@@ -28,10 +28,10 @@ The target matrix is defined in `npm/prebuilt-targets.json`.
 | Package | Rust target | Runner |
 | --- | --- | --- |
 | `jscpd-rs-linux-x64-gnu` | `x86_64-unknown-linux-gnu` | `ubuntu-24.04` |
-| `jscpd-rs-linux-arm64-gnu` | `aarch64-unknown-linux-gnu` | `ubuntu-24.04-arm` |
+| `jscpd-rs-linux-arm64-gnu` | `aarch64-unknown-linux-gnu` | `ubuntu-22.04-arm` |
 | `jscpd-rs-darwin-x64` | `x86_64-apple-darwin` | `macos-15-intel` |
 | `jscpd-rs-darwin-arm64` | `aarch64-apple-darwin` | `macos-15` |
-| `jscpd-rs-win32-x64-msvc` | `x86_64-pc-windows-msvc` | `windows-2025` |
+| `jscpd-rs-win` | `x86_64-pc-windows-msvc` | `windows-2025` |
 
 Consider Linux musl and Windows arm64 only after install data or user reports
 show demand.
@@ -54,12 +54,20 @@ show demand.
 The GitHub Release workflow in `.github/workflows/npm-publish.yml` publishes in
 this order:
 
-1. Verify that the GitHub Release tag matches `package.json`.
-2. Build platform packages in a native runner matrix.
-3. Smoke-test `jscpd --version` and `jscpd-server --version` for each package.
-4. Publish the platform packages.
-5. Run `scripts/npm-package-check.sh`.
-6. Publish the main `jscpd-rs` package.
+1. Run `scripts/release-candidate.sh`, including the full compatibility
+   matrix, public speed gate, and core coverage gate.
+2. Verify that the GitHub Release tag matches `package.json`.
+3. Build platform packages in a native runner matrix.
+4. Smoke-test `jscpd --version` and `jscpd-server --version` for each package.
+5. Publish the platform packages.
+6. Verify every optional platform package is published for the release version.
+7. Run `scripts/npm-package-check.sh`.
+8. Publish the main `jscpd-rs` package.
+
+The main npm package is intentionally blocked when any configured platform
+package fails or is missing. Manual target-only reruns must set
+`publish_main=false`; the main package should not be published with an
+accidental source-build fallback on a supported platform.
 
 The workflow publishes with npm provenance enabled. It is designed for Trusted
 Publishing, but `NPM_TOKEN` can be kept as a temporary bootstrap fallback for
@@ -83,7 +91,7 @@ Packages:
 - `jscpd-rs-linux-arm64-gnu`
 - `jscpd-rs-darwin-x64`
 - `jscpd-rs-darwin-arm64`
-- `jscpd-rs-win32-x64-msvc`
+- `jscpd-rs-win`
 
 If a temporary npm token is used for the first platform-package bootstrap,
 revoke it after Trusted Publishing succeeds.

package/docs/public-benchmark-suite.md

@@ -31,7 +31,7 @@ Usage:
 LIST=1 scripts/public-bench-suite.sh
 CASES=react,next RUNS=3 scripts/public-bench-suite.sh
 CHECK_COMPAT=1 CASES=react scripts/public-bench-suite.sh
-MIN_SPEEDUP=10 CASES=react,next RUNS=3 scripts/public-bench-suite.sh
+MIN_SPEEDUP=45 CASES=react,next RUNS=3 scripts/public-bench-suite.sh
 UPSTREAM_TIMEOUT=600s CASES=vscode RUNS=1 scripts/public-bench-suite.sh
 PUBLIC=1 PUBLIC_CASES=react,next PUBLIC_RUNS=3 scripts/release-gate.sh
 ```
@@ -47,6 +47,10 @@ bounded by `UPSTREAM_TIMEOUT` (`600s` by default) so optional stress cases canno
 hang a release gate indefinitely; set `RUST_TIMEOUT` or `UPSTREAM_TIMEOUT` to an
 empty value to disable that side's timeout.
 
+The release gate uses `PUBLIC_MIN_SPEEDUP=45` by default. This intentionally
+locks the 50x+ product baseline with enough headroom for normal runner noise;
+lowering that threshold requires an explicit release decision.
+
 When `CHECK_COMPAT=1` is enabled, the suite runs the same coverage-first report
 comparison used by the fixture gates. `react`, `next`, and `prometheus` include
 narrow allowlists for upstream overextended ranges documented in

package/docs/release-checklist.md

@@ -79,6 +79,8 @@ Before publishing, all of these must be true:
 - `git submodule status jscpd` points at the reviewed upstream reference.
 - `scripts/release-candidate.sh` passes on the exact code commit being tagged.
 - GitHub Actions `release-gate` passes on the pushed commit.
+- GitHub Actions `crates-publish` and `npm-publish` release jobs are allowed to
+  run their own release-candidate preflight before publishing.
 - `scripts/package-check.sh` passes and the package file list excludes
   `jscpd/`, `target/`, `node_modules/`, and `scripts/`.
 - `scripts/npm-package-check.sh` passes, including `npm pack`,
@@ -89,9 +91,12 @@ Before publishing, all of these must be true:
 - `README.md`, `docs/compat-baseline.md`, and
   `docs/public-benchmark-suite.md` contain the same recorded public benchmark
   numbers.
-- For the first publication, the `jscpd-rs` crate and npm package names are
-  still available or already owned by this project, and `v0.1.0` does not
-  already exist locally or on the remote.
+- For a new publication, the target crate version, npm package versions, and
+  `vX.Y.Z` Git tag are not already published, unless an explicitly documented
+  target-only npm rerun is being used for a prebuilt package.
+- For npm publication, every configured prebuilt optional package is published
+  before the main `jscpd-rs` package; target-only reruns use
+  `publish_main=false`.
 - `docs/upstream-bugs.md` contains concrete repro commands for upstream issues
   we plan to file.
 - `docs/upstream-issue-drafts.md` contains reviewed issue drafts ready to
@@ -140,18 +145,20 @@ scripts/prepublish-check.sh
 ```
 
 The script checks clean git state, the reviewed `jscpd` submodule reference,
-local and remote tag availability, exact crate-name availability through
-`cargo search`, exact npm package-name availability through `npm view`,
+local and remote tag availability, exact crate version availability through
+`cargo info`, exact npm package version availability through `npm view`,
 benchmark-number consistency across release docs, the full release-candidate
 gate, package/install validation, npm pack/npx validation, and
-`cargo publish --dry-run --locked`. Set `RUN_RELEASE_CANDIDATE=0` only when the
-same code commit already has fresh local and CI release-candidate evidence.
+`cargo publish --dry-run --locked`. The npm availability check covers the main
+package and every prebuilt optional package. Set
+`RUN_RELEASE_CANDIDATE=0` only when the same code commit already has fresh
+local and CI release-candidate evidence.
 
 Then push the exact release commit and verify the GitHub Actions
 `release-gate` result. Use the workflow dispatch `release_candidate` input for a
 full CI-side release-candidate run when needed.
 
-For the first publication candidate checked on 2026-05-31, local and remote
+Historical first publication candidate checked on 2026-05-31: local and remote
 `v0.1.0` tag lookups returned no entries. `cargo search jscpd-rs --limit 5`
 returned no exact crate, `npm view jscpd-rs version` returned `E404`, and the
 sparse crates.io index path
@@ -178,8 +185,8 @@ two explicit commands above are a manual smoke equivalent for post-tag checks.
 Track these after the first release candidate:
 
 - Reduce noisy extra Rust findings where they are user-visible false positives.
-- Verify the first npm prebuilt platform-package publication before broad npm
-  promotion so Node users can install without Cargo; see the
+- Monitor npm prebuilt install behavior and add Linux musl or Windows arm64
+  packages only when install data or user reports show demand; see the
   [prebuilt binary distribution plan](prebuilt-binaries.md).
 - Add native persistent store/cache only if release-scale benchmark data needs
   it.

package/docs/release-decisions.md

@@ -77,8 +77,14 @@ choice insufficient.
 
 - Performance remains a product requirement. Public benchmark runs should be
   repeated before publication with pinned commits and recorded speedups.
+- Refactors, simplifications, compatibility fixes, and dependency swaps must not
+  introduce sustained speed regressions. If a change touches discovery,
+  tokenization, matching, source loading, reporter hot paths, or server snippet
+  checks, rerun the affected benchmark case before treating the core as stable.
 - The aspirational target is 50x on representative cases, but release gating
-  should use measured thresholds from the selected public benchmark suite.
+  should use measured thresholds from the selected public benchmark suite. The
+  default public release gate currently fails below 45x to preserve the 50x+
+  baseline while leaving room for runner noise.
 
 ## Approved Complex Feature Choices
 

package/docs/release-readiness.md

@@ -23,7 +23,9 @@ current implementation status.
 | Native Rust API | ready | `jscpd`, `jscpd_with_exit_callback`, `Tokenizer`, `Detector`, `Statistic`, `MemoryStore`, `detect_clones`, `detect_clones_and_statistic`, `detect_clones_and_statistics`, `detect_source_files`, default options, argv option parsing, supported formats, and format lookup helpers expose the app, tokenizer, detector, statistics, and store core for path-based and in-memory integrations. See `docs/api-parity.md`. |
 | Native server | partial | `jscpd-server` exposes `/`, `/api/health`, `/api/stats`, `/api/check`, `/api/recheck`, and `/mcp`; exact help text, stable CLI, HTTP success/error, and MCP contracts are gated; `/api/check` reuses prepared project token maps; exact upstream Streamable HTTP SDK behavior remains follow-up. |
 | Performance harness | ready | Local benchmark script and public benchmark suite with pinned output recording and speedup gates. |
-| Release gates | ready | Default CI gate, full compatibility matrix, Cargo/npm package checks, reporter/config/CLI/blame gates. The default gate now prints per-step timings, caches Cargo/pnpm/upstream build artifacts, and uses target-reuse npm package smoke in push/PR CI while keeping cold npm source-build in release-candidate/prepublish gates. |
+| Server benchmark harness | ready | `scripts/bench-server.sh` compares native and upstream `/api/check` latency on the same initialized project and snippet payload. Keep it advisory until real server usage needs a blocking gate. |
+| Release gates | ready | Default CI gate, full compatibility matrix, Cargo/npm package checks, reporter/config/CLI/blame gates. The default gate prints per-step timings, caches Cargo/pnpm/upstream build artifacts, and uses target-reuse npm package smoke in push/PR CI while keeping cold npm source-build in release-candidate/prepublish gates. GitHub npm/crates publish workflows now run `scripts/release-candidate.sh` before publishing. |
+| Code coverage tooling | ready | One script: `scripts/coverage.sh`. Use `SCOPE=full` for the full advisory report and `SCOPE=core` for core coverage that runs all test targets while excluding CLI/server glue from the report. Local baseline on 2026-06-01: full 91.54% line / 90.13% region coverage; core 93.18% line / 91.39% region coverage. `scripts/release-candidate.sh` enforces `SCOPE=core FAIL_UNDER_LINES=93 scripts/coverage.sh` by default. |
 
 ## Partial Or Follow-Up
 
@@ -35,8 +37,8 @@ current implementation status.
 | HTML reporter polish | practical parity | Keep self-contained HTML stable. Do not chase pixel-perfect upstream parity for the first release. |
 | Terminal cosmetics | practical parity | Important messages are gated; exact wrapping/order remains lower priority. |
 | Upstream JavaScript API parity | follow-up | Native Rust helpers cover the practical app/tokenizer/detector/statistics/store concepts, including an embeddable argv runner and tokenizer map generation; exact JS package export shape is not implemented in the Rust crate. See `docs/api-parity.md`. |
-| Server snippet matching | optimized baseline | Native `/api/check` and MCP `check_duplication` are functional and reuse project token maps from the last scan; add a dedicated window index only if real server benchmarks require it. |
-| Npm prebuilt binaries | ready for 0.1.1 | Platform-specific optional package metadata, runtime prebuilt resolution, prebuilt/fallback package checks, and GitHub Release publishing automation are wired for `jscpd-rs@0.1.1+`. See the [prebuilt binary distribution plan](prebuilt-binaries.md). |
+| Server snippet matching | optimized baseline | Native `/api/check` and MCP `check_duplication` are functional and reuse project token maps from the last scan; use `scripts/bench-server.sh` before adding a dedicated window index. |
+| Npm prebuilt binaries | ready | Platform-specific optional package metadata, runtime prebuilt resolution, prebuilt/fallback package checks, and GitHub Release publishing automation are wired for `jscpd-rs@0.1.2+`. The main npm package is blocked if any configured platform package fails or is missing. See the [prebuilt binary distribution plan](prebuilt-binaries.md). |
 | Latest full publication gate | ready | `scripts/prepublish-check.sh` passed locally on code commit `8c3da0e`, including `scripts/release-candidate.sh`, package/install verification, crate/tag availability checks, npm package/name/npx verification, and `cargo publish --dry-run --locked`. GitHub Actions default `release-gate` passed on code commit `8c3da0e` in run `26710762680`. After benchmark documentation updates, `RUN_RELEASE_CANDIDATE=0 scripts/prepublish-check.sh` is the package/dry-run refresh gate for the exact package contents being tagged. |
 
 ## Post-MVP
@@ -49,3 +51,4 @@ current implementation status.
 | MCP endpoint polish | Core native endpoint exists; tighten exact SDK edge cases only when MCP client compatibility demands it. |
 | Persistent cache/store backends | Add only if public benchmark data proves the in-memory path is insufficient. |
 | Full Prism grammar port | Do not rewrite all grammars eagerly; use native crates or small scanners only for proven gaps. |
+| CI coverage enforcement | Keep coverage out of the default fast gate until CI runtime is measured; the core coverage gate now runs in release-candidate flows. |

package/docs/user-guide.md

@@ -29,7 +29,7 @@ npm install -g jscpd-rs
 npx jscpd-rs --version
 ```
 
-`jscpd-rs@0.1.1+` installs prebuilt Linux, macOS, and Windows binaries where
+`jscpd-rs@0.1.2+` installs prebuilt Linux, macOS, and Windows binaries where
 available and falls back to building from source with Cargo for unsupported
 platforms. The original `0.1.0` npm package was source-build only. See the
 [prebuilt binary distribution plan](prebuilt-binaries.md).

package/npm/prebuilt-targets.json

@@ -15,7 +15,7 @@
     "cpu": "arm64",
     "libc": "glibc",
     "rustTarget": "aarch64-unknown-linux-gnu",
-    "runner": "ubuntu-24.04-arm"
+    "runner": "ubuntu-22.04-arm"
   },
   "darwin-x64": {
     "packageName": "jscpd-rs-darwin-x64",
@@ -34,8 +34,8 @@
     "runner": "macos-15"
   },
   "win32-x64-msvc": {
-    "packageName": "jscpd-rs-win32-x64-msvc",
-    "description": "Prebuilt Windows x64 MSVC binaries for jscpd-rs",
+    "packageName": "jscpd-rs-win",
+    "description": "Prebuilt Windows x64 binaries for jscpd-rs",
     "os": "win32",
     "cpu": "x64",
     "rustTarget": "x86_64-pc-windows-msvc",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "jscpd-rs",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "50x+ faster duplicate-code detector for CI/CD; jscpd-compatible CLI, SARIF, JSON, HTML reports",
   "license": "MIT",
   "repository": {
@@ -28,11 +28,11 @@
     "cli"
   ],
   "optionalDependencies": {
-    "jscpd-rs-darwin-arm64": "0.1.1",
-    "jscpd-rs-darwin-x64": "0.1.1",
-    "jscpd-rs-linux-arm64-gnu": "0.1.1",
-    "jscpd-rs-linux-x64-gnu": "0.1.1",
-    "jscpd-rs-win32-x64-msvc": "0.1.1"
+    "jscpd-rs-darwin-arm64": "0.1.3",
+    "jscpd-rs-darwin-x64": "0.1.3",
+    "jscpd-rs-linux-arm64-gnu": "0.1.3",
+    "jscpd-rs-linux-x64-gnu": "0.1.3",
+    "jscpd-rs-win": "0.1.3"
   },
   "bin": {
     "jscpd-rs": "npm/bin/jscpd-rs.js",

package/src/bin/jscpd-server.rs

@@ -3,7 +3,7 @@ use std::path::PathBuf;
 
 use anyhow::{Result, bail};
 use clap::Parser;
-use jscpd_rs::cli::{Cli, Options};
+use jscpd_rs::{Cli, Options};
 
 #[tokio::main]
 async fn main() {

package/src/blame.rs

@@ -94,6 +94,10 @@ fn blame_line_regex() -> &'static Regex {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use crate::tokenizer::Location;
+    use std::fs;
+    use std::path::{Path, PathBuf};
+    use std::time::{SystemTime, UNIX_EPOCH};
 
     #[test]
     fn parses_git_blame_lines() {
@@ -127,4 +131,116 @@ cccccccc (Carol 2024-01-03 00:00:00 +0000 3) third
         assert_eq!(sliced["2"].author, "Bob");
         assert_eq!(sliced["3"].author, "Carol");
     }
+
+    #[test]
+    fn ignores_malformed_git_blame_lines() {
+        let blame = parse_git_blame(
+            "\
+not blame output
+aaaaaaaa (Alice 2024-01-01 00:00:00 +0000 1) first
+bbbbbbbb (Bob 2024-01-02 00:00 +0000 2) bad date
+",
+        );
+
+        assert_eq!(blame.len(), 1);
+        assert_eq!(blame["1"].author, "Alice");
+    }
+
+    #[test]
+    fn applies_cached_blame_to_fragment_range() {
+        let mut cache = HashMap::from([(
+            "src/a.js".to_string(),
+            Some(parse_git_blame(
+                "\
+aaaaaaaa (Alice 2024-01-01 00:00:00 +0000 1) first
+bbbbbbbb (Bob 2024-01-02 00:00:00 +0000 2) second
+cccccccc (Carol 2024-01-03 00:00:00 +0000 3) third
+",
+            )),
+        )]);
+        let mut fragment = fragment("src/a.js", 2, 3);
+
+        apply_fragment_blame(&mut fragment, &mut cache);
+
+        let blame = fragment.blame.expect("fragment blame");
+        assert_eq!(blame.keys().cloned().collect::<Vec<_>>(), vec!["2", "3"]);
+        assert_eq!(blame["2"].author, "Bob");
+        assert_eq!(blame["3"].author, "Carol");
+    }
+
+    #[test]
+    fn omits_cached_blame_when_file_or_range_has_no_blame() {
+        let mut cache = HashMap::from([
+            ("missing.js".to_string(), None),
+            (
+                "src/a.js".to_string(),
+                Some(parse_git_blame(
+                    "aaaaaaaa (Alice 2024-01-01 00:00:00 +0000 10) tenth\n",
+                )),
+            ),
+        ]);
+        let mut missing = fragment("missing.js", 1, 1);
+        let mut outside_range = fragment("src/a.js", 1, 2);
+
+        apply_fragment_blame(&mut missing, &mut cache);
+        apply_fragment_blame(&mut outside_range, &mut cache);
+
+        assert!(missing.blame.is_none());
+        assert!(outside_range.blame.is_none());
+    }
+
+    #[test]
+    fn reads_git_blame_for_tracked_file() {
+        let repo = unique_temp_dir("blame-repo");
+        fs::create_dir_all(&repo).unwrap();
+        git(&repo, &["init", "-q"]);
+        git(&repo, &["config", "user.email", "jscpd-rs@example.test"]);
+        git(&repo, &["config", "user.name", "Jscpd Rs"]);
+        let path = repo.join("tracked.js");
+        fs::write(&path, "const first = 1;\nconst second = 2;\n").unwrap();
+        git(&repo, &["add", "tracked.js"]);
+        git(&repo, &["commit", "--no-gpg-sign", "-q", "-m", "initial"]);
+
+        let blame = blame_file(path.to_str().unwrap()).expect("git blame output");
+        let _ = fs::remove_dir_all(&repo);
+
+        assert_eq!(blame.len(), 2);
+        assert_eq!(blame["1"].author, "Jscpd Rs");
+        assert_eq!(blame["2"].line, "2");
+    }
+
+    fn fragment(source_id: &str, start_line: usize, end_line: usize) -> Fragment {
+        Fragment {
+            source_id: source_id.to_string(),
+            start: location(start_line),
+            end: location(end_line),
+            range: [0, 0],
+            blame: None,
+        }
+    }
+
+    fn location(line: usize) -> Location {
+        Location {
+            line,
+            column: 1,
+            position: 0,
+        }
+    }
+
+    fn git(repo: &Path, args: &[&str]) {
+        let status = Command::new("git")
+            .args(args)
+            .current_dir(repo)
+            .status()
+            .expect("run git");
+        assert!(status.success(), "git {args:?} failed");
+    }
+
+    fn unique_temp_dir(label: &str) -> PathBuf {
+        let suffix = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .unwrap()
+            .as_nanos();
+        std::env::temp_dir().join(format!("jscpd-rs-{label}-{}-{suffix}", std::process::id()))
+    }
 }