plotlink-ows 1.0.33 → 1.2.95

package/scripts/gen-schema-sql.mjs

@@ -0,0 +1,49 @@
+#!/usr/bin/env node
+// Regenerate app/prisma/schema.sql from app/prisma/schema.prisma (#484).
+//
+// The installed app applies this committed DDL at startup via the Prisma client
+// (app/lib/apply-schema.ts) instead of running `prisma db push`, so the native
+// Prisma schema-engine is never needed at runtime. Run this (and commit the
+// result) after ANY change to schema.prisma:  npm run prisma:sql
+//
+// This uses the schema-engine via `prisma migrate diff` — that's fine here
+// because it runs at DEV/build time on a developer machine, not at user runtime.
+
+import { execFileSync } from "node:child_process";
+import { writeFileSync, readFileSync } from "node:fs";
+import { join, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import { createRequire } from "node:module";
+
+const root = join(dirname(fileURLToPath(import.meta.url)), "..");
+const schemaPath = join(root, "app", "prisma", "schema.prisma");
+const outPath = join(root, "app", "prisma", "schema.sql");
+
+// Resolve the local Prisma CLI (same robust resolution the runtime once used).
+const requireFrom = createRequire(join(root, "__resolver__.js"));
+const prismaPkg = requireFrom.resolve("prisma/package.json");
+const pkg = JSON.parse(readFileSync(prismaPkg, "utf8"));
+const binRel = typeof pkg.bin === "string" ? pkg.bin : pkg.bin.prisma;
+const prismaCli = join(dirname(prismaPkg), binRel);
+
+const ddl = execFileSync(
+  process.execPath,
+  [prismaCli, "migrate", "diff", "--from-empty", "--to-schema-datamodel", schemaPath, "--script"],
+  { encoding: "utf8" },
+).trim();
+
+const header = [
+  "-- Canonical SQLite DDL for the local writer database.",
+  "-- GENERATED from app/prisma/schema.prisma — do not edit by hand.",
+  "-- Regenerate after any schema change:  npm run prisma:sql",
+  "--",
+  "-- Applied idempotently at startup via the Prisma client's library query engine",
+  "-- (app/lib/apply-schema.ts) so the installed package never invokes the native",
+  "-- Prisma schema-engine (`prisma db push`), which fails to spawn in some packed",
+  "-- prod-only environments (#484, EPIC #465).",
+  "",
+  "",
+].join("\n");
+
+writeFileSync(outPath, header + ddl + "\n");
+console.log(`Wrote ${outPath}`);

package/scripts/package-hygiene.mjs

@@ -0,0 +1,116 @@
+// Suspicious-file detection for the release preflight (#466, EPIC #465).
+//
+// Any packed file whose path matches one of these rules must NEVER ship in the
+// published `plotlink-ows` package. The package.json `files` allowlist already
+// excludes them (negation patterns); this is the preflight's belt-and-suspenders
+// detection so a regression is caught before publish. Keep the two in sync.
+
+export const SUSPICIOUS_RULES = [
+  { re: /(^|\/)node_modules\//, label: "bundled node_modules" },
+  { re: /\.(test|spec)\.[cm]?[jt]sx?$/, label: "test/spec file" },
+  { re: /(^|\/)(__fixtures__|fixtures)\/|\.fixture\./, label: "test fixture" },
+  { re: /\.snap$/, label: "test snapshot" },
+  { re: /(^|\/)e2e[-/]/, label: "e2e/test tooling" },
+  { re: /\.tgz$/, label: "packed tarball" },
+  { re: /(^|\/)(\.next\/cache|\.turbo|\.vite|\.cache|coverage|\.nyc_output)\//, label: "build/coverage cache" },
+  { re: /(^|\/)screenshots?\/|(^|\/)screenshot-/, label: "screenshot/marketing image" },
+  { re: /(^|\/)(tmp|temp)\/|\.(log|tmp|bak|swp)$/, label: "temp/log file" },
+  { re: /(^|\/)\.env(\..+)?$|\.(pem|key)$/, label: "possible secret/credential file" },
+];
+
+// The runtime files the published package MUST contain. A `files`-allowlist
+// change that drops one of these fails the preflight (#468). `app/web/dist` is
+// required because the CLI serves the prebuilt web UI from it.
+export const REQUIRED_PACK_FILES = [
+  "package.json",
+  "README.md",
+  "LICENSE",
+  "bin/plotlink-ows.js",
+  // The bin requires this in-package helper at runtime (start-path boundary
+  // planner); `files` ships all of `bin/`, but listing it here fails preflight
+  // if a future exclusion drops it (#470).
+  "bin/startup-plan.cjs",
+  "app/server.ts",
+  // Imported by app/server.ts at boot to apply the local SQLite schema without
+  // the native Prisma schema-engine (#484).
+  "app/lib/apply-schema.ts",
+  // The committed DDL apply-schema reads at startup — the installed app applies
+  // this instead of running `prisma db push` (#484).
+  "app/prisma/schema.sql",
+  "app/prisma/schema.prisma",
+  "app/web/dist/index.html",
+  // Root-lib file the server runtime imports at boot (publish route →
+  // `../../lib/genres`); `files` packs only `lib/ows/`, so it must be listed
+  // explicitly or the published CLI fails to start (#469).
+  "lib/genres.ts",
+];
+
+// The published OWS CLI runtime install path (`dependencies`). EPIC #465 keeps
+// this set MINIMAL — only packages the CLI actually loads at runtime (the server
+// in `app/`, the `bin/` wizard, and the runtime helpers in `lib/`). Web-app
+// (`src/`), build-time, and direct-upload-only packages belong in
+// `devDependencies` (see DEPENDENCIES.md): React/Vite/etc. (#469) and
+// `@aws-sdk/client-s3` (#471 — OWS uploads go through the PlotLink API, so the
+// S3/Filebase client is web-app-only). A new entry here must be a genuine OWS
+// runtime import; add it consciously (and document it) rather than by accident.
+export const ALLOWED_RUNTIME_DEPS = [
+  "@hono/node-server",
+  "@open-wallet-standard/core",
+  "@prisma/client",
+  "@supabase/supabase-js",
+  "dotenv",
+  "hono",
+  "node-pty",
+  "prisma",
+  "tsx",
+  "viem",
+  "ws",
+];
+
+/**
+ * Runtime `dependencies` that are NOT in the OWS runtime allowlist — i.e. a
+ * web-app/build-time/upload-only package that leaked into the published install
+ * path (#471, EPIC #465). An empty array means the install path is clean.
+ */
+export function findRuntimeDepLeaks(pkg) {
+  const allowed = new Set(ALLOWED_RUNTIME_DEPS);
+  return Object.keys(pkg.dependencies ?? {}).filter((d) => !allowed.has(d));
+}
+
+/** Return the REQUIRED_PACK_FILES that are NOT in the packed path list. */
+export function findMissingRequired(paths) {
+  const set = new Set(paths);
+  return REQUIRED_PACK_FILES.filter((req) => !set.has(req));
+}
+
+/**
+ * Return `[{ label, path }]` for every path matching a suspicious rule (first
+ * match wins per path). An empty array means the file list is clean.
+ */
+export function findSuspicious(paths) {
+  const out = [];
+  for (const path of paths) {
+    for (const rule of SUSPICIOUS_RULES) {
+      if (rule.re.test(path)) { out.push({ label: rule.label, path }); break; }
+    }
+  }
+  return out;
+}
+
+/**
+ * The files a freshly-installed package MUST contain to function: the bin(s),
+ * the app entrypoints, AND every file the install LIFECYCLE references — notably
+ * the `--schema <path>` the `postinstall` runs `prisma generate` against (#466,
+ * re1). The smoke test asserts these are present, so a `files`-allowlist
+ * regression that drops a postinstall prerequisite fails the preflight instead
+ * of silently breaking a real `npm install` of the published tarball.
+ */
+export function requiredInstalledFiles(pkg) {
+  const required = ["package.json", "app/server.ts", "app/web/dist/index.html"];
+  const binPaths = typeof pkg.bin === "string" ? [pkg.bin] : Object.values(pkg.bin ?? {});
+  for (const b of binPaths) if (b) required.push(String(b).replace(/^\.?\//, ""));
+  // Every `--schema <path>` referenced by the postinstall lifecycle.
+  const postinstall = pkg.scripts?.postinstall ?? "";
+  for (const m of postinstall.matchAll(/--schema[= ]+(\S+)/g)) required.push(m[1]);
+  return [...new Set(required)];
+}

package/scripts/preflight.mjs

@@ -0,0 +1,173 @@
+#!/usr/bin/env node
+// PlotLink OWS — release preflight & package-hygiene check (#466, EPIC #465).
+//
+// Run before a manual `npm publish` (the operator gate, #472) with:
+//
+//     npm run preflight
+//
+// It is READ-ONLY and safe: it never runs `npm audit fix`, never publishes,
+// never needs `npm login`, and never prints secrets/passphrases/wallet data.
+//
+// It reports + checks four things, and exits non-zero on any blocking issue:
+//   1. Expected Node/npm toolchain (from package.json engines / packageManager).
+//   2. A production `npm audit --omit=dev` summary (reported; high/critical warn).
+//   3. The packed-package contents (`npm pack --dry-run`), FAILING on any
+//      generated/local artifact that must never ship: bundled node_modules,
+//      *.test.* / *.spec.* files, stray *.tgz tarballs, build caches, or obvious
+//      secret files (.env/.pem/.key).
+//   4. A packed-tarball install smoke test in a throwaway temp dir (no scripts),
+//      verifying the bin + runtime entrypoints land and the bin parses.
+//
+// Keep the SUSPICIOUS rules below in sync with the `files` exclusions in
+// package.json — they are two sides of the same hygiene contract.
+
+import { execFileSync } from "node:child_process";
+import { readFileSync, mkdtempSync, rmSync, existsSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import { findSuspicious, findMissingRequired, requiredInstalledFiles, findRuntimeDepLeaks } from "./package-hygiene.mjs";
+
+const root = join(dirname(fileURLToPath(import.meta.url)), "..");
+const pkg = JSON.parse(readFileSync(join(root, "package.json"), "utf8"));
+
+const failures = [];
+const warnings = [];
+const section = (t) => console.log(`\n=== ${t} ===`);
+const fail = (m) => { failures.push(m); console.log(`  ✗ ${m}`); };
+const warn = (m) => { warnings.push(m); console.log(`  ! ${m}`); };
+const ok = (m) => console.log(`  ✓ ${m}`);
+
+/** Run a command, returning { code, stdout } without throwing (audit/pack exit non-zero on findings). */
+function run(cmd, args, opts = {}) {
+  try {
+    const stdout = execFileSync(cmd, args, { cwd: root, encoding: "utf8", stdio: ["ignore", "pipe", "ignore"], maxBuffer: 64 * 1024 * 1024, ...opts });
+    return { code: 0, stdout };
+  } catch (e) {
+    return { code: e.status ?? 1, stdout: e.stdout?.toString() ?? "" };
+  }
+}
+
+// ---------------------------------------------------------------------------
+// 1) Expected toolchain
+// ---------------------------------------------------------------------------
+section("Expected toolchain");
+console.log(`  engines.node:    ${pkg.engines?.node ?? "(unset)"}`);
+console.log(`  engines.npm:     ${pkg.engines?.npm ?? "(unset)"}`);
+console.log(`  packageManager:  ${pkg.packageManager ?? "(unset)"}`);
+const haveNode = process.version;
+const haveNpm = run("npm", ["-v"]).stdout.trim() || "?";
+console.log(`  running node ${haveNode} / npm ${haveNpm}`);
+if (!/^v20\./.test(haveNode)) warn(`Node ${haveNode} is not 20.x — publish should run on Node 20.x (engines.node).`);
+if (!/^10\./.test(haveNpm)) warn(`npm ${haveNpm} is not 10.x — publish should run on npm 10.x (engines.npm / packageManager).`);
+if (warnings.length === 0) ok("running on the expected Node 20.x / npm 10.x toolchain");
+
+// ---------------------------------------------------------------------------
+// 2) Production audit summary (reported; never auto-fixed)
+// ---------------------------------------------------------------------------
+section("Production audit (npm audit --omit=dev)");
+const audit = run("npm", ["audit", "--omit=dev", "--json"]);
+try {
+  const vulns = JSON.parse(audit.stdout).metadata?.vulnerabilities ?? {};
+  console.log(`  ${JSON.stringify(vulns)}`);
+  const severe = (vulns.high ?? 0) + (vulns.critical ?? 0);
+  if (severe > 0) warn(`${severe} high/critical production vulnerabilit${severe === 1 ? "y" : "ies"} — review before publishing (do NOT run 'npm audit fix --force').`);
+  else ok("no high/critical production vulnerabilities");
+} catch {
+  warn("could not parse `npm audit` output (offline, or registry unreachable) — re-run with network access before publishing.");
+}
+
+// ---------------------------------------------------------------------------
+// 2b) Runtime dependency boundary (#471, EPIC #465)
+// ---------------------------------------------------------------------------
+section("Runtime dependency boundary (dependencies allowlist)");
+const leaks = findRuntimeDepLeaks(pkg);
+if (leaks.length) {
+  fail(`web-app/build/upload-only package(s) in runtime 'dependencies' (move to devDependencies, or add to ALLOWED_RUNTIME_DEPS if genuinely a runtime import): ${leaks.join(", ")}`);
+} else {
+  ok(`runtime 'dependencies' match the OWS allowlist (${Object.keys(pkg.dependencies ?? {}).length} pkgs; no web-app/S3/build leaks)`);
+}
+
+// ---------------------------------------------------------------------------
+// 3) Packed contents + suspicious-file detection
+// ---------------------------------------------------------------------------
+section("Packed package contents (npm pack --dry-run)");
+const dry = run("npm", ["pack", "--dry-run", "--json"]);
+let manifest = null;
+try { manifest = JSON.parse(dry.stdout)[0]; } catch { fail("`npm pack --dry-run --json` did not return a parseable manifest."); }
+if (manifest) {
+  console.log(`  entries: ${manifest.entryCount}   unpacked: ${(manifest.unpackedSize / 1024).toFixed(0)}KB   tarball: ${(manifest.size / 1024).toFixed(0)}KB`);
+  const paths = manifest.files.map((f) => f.path);
+  const bad = findSuspicious(paths);
+  if (bad.length) {
+    fail(`${bad.length} suspicious file(s) in the packed package (fix the package.json 'files' exclusions):`);
+    bad.slice(0, 40).forEach((b) => console.log(`      - ${b.label}: ${b.path}`));
+    if (bad.length > 40) console.log(`      … and ${bad.length - 40} more`);
+  } else {
+    ok("clean: no node_modules / test / fixture / coverage / screenshot / tarball / cache / temp / secret files");
+  }
+  // Enforce that the required runtime contents are still present (#468) — a
+  // `files` exclusion that's too aggressive (dropping the bin, README, LICENSE,
+  // the Prisma schema, or the prebuilt web UI) fails here.
+  const missing = findMissingRequired(paths);
+  if (missing.length) fail(`packed package is missing required runtime file(s): ${missing.join(", ")}`);
+  else ok("required runtime contents present (bin, README, LICENSE, server, Prisma schema, web dist)");
+}
+
+// ---------------------------------------------------------------------------
+// 4) Packed-tarball install smoke test (temp dir, no install scripts)
+// ---------------------------------------------------------------------------
+section("Tarball install smoke test");
+let tmp;
+try {
+  tmp = mkdtempSync(join(tmpdir(), "plotlink-preflight-"));
+  // Pack the real tarball INTO the temp dir, so no stray .tgz is left in the repo.
+  const packed = run("npm", ["pack", "--pack-destination", tmp, "--json"]);
+  const tgz = JSON.parse(packed.stdout)[0]?.filename;
+  if (!tgz) throw new Error("npm pack did not report a tarball filename");
+  const tgzPath = join(tmp, tgz);
+  // A throwaway consumer project that installs the tarball.
+  writeFileSync(join(tmp, "package.json"), JSON.stringify({ name: "preflight-smoke", private: true, version: "0.0.0" }) + "\n");
+  // --ignore-scripts: don't run the package's postinstall (prisma generate) — this
+  // is a packaging smoke test, not a full runtime bring-up (that's the operator gate).
+  const install = run("npm", ["install", tgzPath, "--ignore-scripts", "--no-audit", "--no-fund", "--no-save"], { cwd: tmp });
+  if (install.code !== 0) throw new Error("`npm install <tarball>` failed in the temp project");
+  const installed = join(tmp, "node_modules", pkg.name);
+  // Includes the postinstall prerequisite (the Prisma schema) derived from the
+  // actual postinstall command, so dropping it from `files` fails here even
+  // though the install ran with --ignore-scripts (#466, re1).
+  const required = requiredInstalledFiles(pkg);
+  const missing = required.filter((f) => !existsSync(join(installed, f)));
+  if (missing.length) fail(`installed tarball is missing required runtime/postinstall file(s): ${missing.join(", ")}`);
+  else ok(`tarball installs cleanly; bin + runtime + postinstall prerequisites present (${required.length} checked)`);
+  const check = run(process.execPath, ["--check", join(installed, "bin/plotlink-ows.js")]);
+  if (check.code !== 0) fail("bin/plotlink-ows.js failed `node --check` (syntax error)");
+  else ok("bin/plotlink-ows.js passes node --check");
+} catch (e) {
+  fail(`tarball install smoke test failed: ${e.message || e}`);
+} finally {
+  if (tmp) rmSync(tmp, { recursive: true, force: true });
+}
+
+// ---------------------------------------------------------------------------
+// 5) Prod-only START smoke — packed tarball install + real server boot (#479)
+// ---------------------------------------------------------------------------
+section("Prod-only start smoke (packed tarball install + boot)");
+if (process.env.PREFLIGHT_SKIP_START_SMOKE === "1") {
+  warn("start smoke SKIPPED via PREFLIGHT_SKIP_START_SMOKE=1 — a skipped run is NOT publish-safe; re-run without it before publishing.");
+} else {
+  const startSmoke = run(process.execPath, [join(root, "scripts", "start-smoke.mjs")], { stdio: ["ignore", "inherit", "inherit"] });
+  if (startSmoke.code !== 0) fail("prod-only start smoke failed — the packed tarball did not install+boot+serve (see output above).");
+  else ok("packed tarball installs prod-only and the server serves /api/auth/status + / (the prebuilt web UI)");
+}
+
+// ---------------------------------------------------------------------------
+// Summary
+// ---------------------------------------------------------------------------
+section("Preflight summary");
+console.log(`  warnings: ${warnings.length}   failures: ${failures.length}`);
+if (failures.length) {
+  console.log(`\n✗ Preflight FAILED — ${failures.length} blocking issue(s). Do not publish.`);
+  process.exit(1);
+}
+console.log(`\n✓ Preflight passed${warnings.length ? ` (with ${warnings.length} warning(s) to review)` : ""}.`);

package/scripts/start-smoke.mjs

@@ -0,0 +1,128 @@
+#!/usr/bin/env node
+// Prod-only packed-tarball START smoke (#479, EPIC #465).
+//
+// The pack/install smoke in preflight only checks FILE presence with
+// `--ignore-scripts`; it cannot catch a *startup* regression. This smoke does a
+// real bring-up:
+//   1. `npm pack` the real tarball.
+//   2. `npm install --omit=dev` it (scripts ON — postinstall `prisma generate`
+//      and native builds run, exactly like a user install).
+//   3. Assert the web-app/build deps removed in #469/#471 are ABSENT.
+//   4. Start the CLI via its real bin with a FRESH HOME + minimal config, then
+//      assert the HTTP server actually serves `/api/auth/status` and `/`.
+//
+// This is the check that catches the #479 failure (the server exiting during
+// `prisma db push` in a packed prod-only install). Exits non-zero on any
+// failure and prints the captured server output so a real failure is diagnosable.
+//
+// Heavier than the pack smoke (installs from the registry + boots the server +
+// builds native deps), so it is a publish-gate check run by preflight. Set
+// PREFLIGHT_SKIP_START_SMOKE=1 to skip during local iteration (preflight warns
+// loudly when skipped — a skipped run is NOT publish-safe).
+
+import { execFileSync, spawn } from "node:child_process";
+import { mkdtempSync, rmSync, existsSync, writeFileSync, mkdirSync, readFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const root = join(dirname(fileURLToPath(import.meta.url)), "..");
+const pkg = JSON.parse(readFileSync(join(root, "package.json"), "utf8"));
+const PORT = Number(process.env.SMOKE_PORT) || 7787;
+const REMOVED_DEPS = ["@aws-sdk/client-s3", "react", "vite"]; // moved to devDeps in #469/#471
+const BOOT_TIMEOUT_MS = 60_000;
+
+let failures = 0;
+const ok = (m) => console.log(`  ✓ ${m}`);
+const fail = (m) => { failures++; console.log(`  ✗ ${m}`); };
+const sh = (cmd, args, opts = {}) => execFileSync(cmd, args, { encoding: "utf8", ...opts });
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+
+const tmp = mkdtempSync(join(tmpdir(), "plotlink-start-smoke-"));
+const home = join(tmp, "home");
+mkdirSync(home, { recursive: true });
+let child;
+let serverOut = "";
+
+try {
+  // 1) Pack the real tarball into the temp dir (no stray .tgz in the repo).
+  const tgz = JSON.parse(sh("npm", ["pack", "--pack-destination", tmp, "--json"], { cwd: root }))[0].filename;
+
+  // 2) Throwaway consumer; install prod-only WITH scripts (real user install).
+  writeFileSync(join(tmp, "package.json"), JSON.stringify({ name: "start-smoke", private: true, version: "0.0.0" }) + "\n");
+  sh("npm", ["install", join(tmp, tgz), "--omit=dev", "--no-audit", "--no-fund", "--no-save"], { cwd: tmp, stdio: "inherit" });
+  const installed = join(tmp, "node_modules", pkg.name);
+  if (!existsSync(installed)) throw new Error("package did not install into the consumer project");
+  ok("tarball installed prod-only (--omit=dev, scripts on)");
+
+  // 3) The web-app/build deps removed in #469/#471 must be absent (hoisted or nested).
+  const leaked = REMOVED_DEPS.filter(
+    (d) => existsSync(join(tmp, "node_modules", d)) || existsSync(join(installed, "node_modules", d)),
+  );
+  if (leaked.length) fail(`removed web-app/build deps present in prod install: ${leaked.join(", ")}`);
+  else ok(`removed deps absent from prod install (${REMOVED_DEPS.join(", ")})`);
+
+  // 4) Fresh HOME + minimal config so the bin starts the server (skips the wizard).
+  const cfgDir = join(home, ".plotlink-ows");
+  mkdirSync(cfgDir, { recursive: true });
+  writeFileSync(
+    join(cfgDir, "config.json"),
+    JSON.stringify({ port: PORT, passphrase_hash: "smoke", wallet_name: "plotlink-writer", created_at: "2026-01-01T00:00:00Z" }) + "\n",
+  );
+
+  // 5) Start via the real bin (exercises cmdStart → server → prisma db push).
+  const binPath = join(installed, "bin", "plotlink-ows.js");
+  child = spawn(process.execPath, [binPath], {
+    cwd: installed,
+    // PLOTLINK_OWS_NO_OPEN=1 stops the bin auto-opening a browser during this
+    // non-interactive release check (#481); normal `npx plotlink-ows` is unaffected.
+    env: { ...process.env, HOME: home, USERPROFILE: home, APP_PORT: String(PORT), PLOTLINK_OWS_NO_OPEN: "1" },
+    stdio: ["ignore", "pipe", "pipe"],
+    detached: true, // own process group, so we can kill the bin AND its server child
+  });
+  child.stdout.on("data", (d) => (serverOut += d));
+  child.stderr.on("data", (d) => (serverOut += d));
+
+  const deadline = Date.now() + BOOT_TIMEOUT_MS;
+  let statusOk = false;
+  let rootOk = false;
+  while (Date.now() < deadline) {
+    if (child.exitCode !== null) break; // bin exited (e.g. db push failed)
+    try {
+      const r = await fetch(`http://localhost:${PORT}/api/auth/status`);
+      if (r.ok) {
+        statusOk = true;
+        const rootRes = await fetch(`http://localhost:${PORT}/`);
+        rootOk = rootRes.ok && /<!doctype html|<html/i.test(await rootRes.text());
+        break;
+      }
+    } catch {
+      /* not listening yet */
+    }
+    await sleep(1000);
+  }
+
+  if (statusOk) ok("server serves GET /api/auth/status");
+  else fail(`server did not serve /api/auth/status within ${BOOT_TIMEOUT_MS / 1000}s (bin exitCode=${child.exitCode})`);
+  if (rootOk) ok("server serves GET / (prebuilt web UI)");
+  else fail("server did not serve the prebuilt web UI at /");
+
+  if (failures > 0 && serverOut.trim()) {
+    console.log("\n  --- captured server output ---");
+    for (const line of serverOut.trimEnd().split("\n")) console.log(`  | ${line}`);
+  }
+} catch (e) {
+  fail(`start smoke errored: ${e?.message || e}`);
+  if (serverOut.trim()) {
+    console.log("\n  --- captured server output ---");
+    for (const line of serverOut.trimEnd().split("\n")) console.log(`  | ${line}`);
+  }
+} finally {
+  if (child && child.pid && child.exitCode === null) {
+    try { process.kill(-child.pid, "SIGTERM"); } catch { /* group gone */ }
+    try { child.kill("SIGKILL"); } catch { /* already dead */ }
+  }
+  rmSync(tmp, { recursive: true, force: true });
+}
+
+process.exit(failures > 0 ? 1 : 0);

package/app/node_modules/.prisma/local-client/client.d.ts

@@ -1 +0,0 @@
-export * from "./index"

package/app/node_modules/.prisma/local-client/client.js

@@ -1,5 +0,0 @@
-
-/* !!! This is code generated by Prisma. Do not edit directly. !!!
-/* eslint-disable */
-// biome-ignore-all lint: generated file
-module.exports = { ...require('.') }

package/app/node_modules/.prisma/local-client/default.d.ts

@@ -1 +0,0 @@
-export * from "./index"

package/app/node_modules/.prisma/local-client/default.js

@@ -1,5 +0,0 @@
-
-/* !!! This is code generated by Prisma. Do not edit directly. !!!
-/* eslint-disable */
-// biome-ignore-all lint: generated file
-module.exports = { ...require('#main-entry-point') }

package/app/node_modules/.prisma/local-client/edge.d.ts

@@ -1 +0,0 @@
-export * from "./default"