Skip to content

silent verify script#282

Open
jasonmorais wants to merge 19 commits into
mainfrom
jason/silent-verify
Open

silent verify script#282
jasonmorais wants to merge 19 commits into
mainfrom
jason/silent-verify

Conversation

@jasonmorais

@jasonmorais jasonmorais commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Summary by Sourcery

Introduce reusable silent verification command runners and integrate them into the repository-wide verify workflow.

New Features:

  • Add silent command runner utilities and sequence builder under a new @cellix/local-dev/silent-runners entrypoint for composing verification workflows.
  • Provide reusable wrappers for common verification tools such as pnpm scripts, audits, Snyk scans, Sonar scripts, and test runners, plus a fluent VerificationSequence API.
  • Add a new Node-based build-pipeline verify script that runs the full verification sequence using the silent runners.

Enhancements:

  • Export new JSON write helper and silent-runner utilities from the @cellix/local-dev root and files entrypoints.
  • Extend @cellix/local-dev documentation and manifest to describe silent runners, new exports, and package scope updates.
  • Adjust the Serenity agent formatter to suppress empty result output when no issues are found.
  • Update vitest config to alias the new silent-runners source entry and expose additional subpath exports for local-dev.
  • Refine root README formatting around existing documentation sections.

Build:

  • Expose new subpath exports for @cellix/local-dev/silent-runners and @cellix/local-dev/vite in the package manifest and wire them into the build artifacts.

CI:

  • Wire the root verify npm script to the new silent verification pipeline script and ensure it participates in CI flows.

Documentation:

  • Update @cellix/local-dev README and manifest to document silent verification runners, new tool wrappers, and public exports, including usage examples and behavioral notes about output and buffering.

Tests:

  • Add vitest coverage for silent command behavior, including success silence, failure replay, configurable buffers, sequence execution, failure short-circuiting, and VerificationSequence immutability.

Chores:

  • Tighten dependency overrides in pnpm-workspace.yaml for protobufjs, body-parser, js-yaml, and OpenTelemetry packages to newer patched versions.

@sourcery-ai

sourcery-ai Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Reviewer's Guide

Introduce a reusable "silent verification" infrastructure in @cellix/local-dev (including command runners, pnpm/Snyk/Sonar wrappers, and a fluent verification sequence) and adopt it in the root verify pipeline, while tightening AgentFormatter logging behavior, exposing writeJsonFile, and updating exports, docs, and dependency overrides.

File-Level Changes

Change Details Files
Add silent command runners, verification sequence abstraction, and tool-specific wrappers (pnpm, audit, Knip, Snyk, Sonar, test runners) and cover them with tests.
  • Create a new @cellix/local-dev/silent-runners entrypoint that defines runSilentCommand, runSilentCommandSequence, shared type contracts, and the VerificationSequence fluent builder, with default buffering and failure-output replay semantics.
  • Provide thin wrapper builders around pnpm scripts, pnpm audit, Knip, Snyk dependency/code/IaC scans, Sonar PR/quality-gate scripts, and common test runners so verification workflows can be constructed declaratively.
  • Extend the local-dev public index to re-export all silent-runner commands, types, and wrappers and wire Vitest aliasing so tests import from the new entrypoint.
  • Add comprehensive tests that simulate spawned commands to assert silent success behavior, replay-on-failure semantics, per-step maxBuffer inheritance/overrides, sequence short-circuiting on failure, and immutability of the shared verificationSequence singleton.
packages/cellix/local-dev/src/silent-runners/index.ts
packages/cellix/local-dev/src/silent-runners/pnpm.ts
packages/cellix/local-dev/src/silent-runners/pnpm-audit.ts
packages/cellix/local-dev/src/silent-runners/knip.ts
packages/cellix/local-dev/src/silent-runners/snyk.ts
packages/cellix/local-dev/src/silent-runners/sonar.ts
packages/cellix/local-dev/src/silent-runners/test-runners.ts
packages/cellix/local-dev/src/index.ts
packages/cellix/local-dev/vitest.config.ts
packages/cellix/local-dev/src/index.test.ts
Adopt the silent verification infrastructure in the root verify pipeline script and clarify package responsibilities around verification and scanners.
  • Replace the package.json verify script’s long pnpm command chain with a Node-based build-pipeline/scripts/verify.ts that composes the reusable verificationSequence using the new wrappers and prints a single success line on full pass.
  • Encode repo-specific Snyk org, repo URL, and policy-path arguments inside the verify script rather than in the shared helpers, keeping local-dev policy-free with respect to scanner configuration.
  • Document silent runners, verification sequences, and tool wrappers in the local-dev README and manifest, including usage examples, scope/non-goals, and notes on output buffering and scanner policy ownership.
  • Publish the new @cellix/local-dev/silent-runners and vite subpath exports in the local-dev package.json and mention them in the README and manifest entrypoint lists.
build-pipeline/scripts/verify.ts
package.json
packages/cellix/local-dev/README.md
packages/cellix/local-dev/manifest.md
packages/cellix/local-dev/package.json
Refine the local-dev file utilities and public API surface.
  • Expose writeJsonFile from the files/json module via both the files subpath and root local-dev index so consumers can write JSON alongside syncJsonFile.
  • Adjust documentation of the public API list in README and manifest to include new silent-runner exports and clarify that silent wrappers encode CLI shape but not project-specific scanner policy.
packages/cellix/local-dev/src/files/index.ts
packages/cellix/local-dev/src/index.ts
packages/cellix/local-dev/README.md
packages/cellix/local-dev/manifest.md
Tighten AgentFormatter logging to avoid noisy summaries when no issues are found.
  • Change onTestRunFinished so it returns early when issueCount is zero, suppressing the "Agent Results" banner and any success message in the no-issue case.
  • Always log an Issues: line when there are issues instead of conditionally printing a generic "All scenarios passed" message.
packages/cellix/serenity-framework/src/formatters/agent-formatter.ts
Update workspace configuration and tooling overrides to support the new exports and patch dependencies.
  • Add a Vitest TSConfig and alias entry for the new silent-runners entrypoint to enable direct source testing.
  • Adjust pnpm overrides to bump protobufjs, body-parser, js-yaml, and selected OpenTelemetry packages, plus some related transitive overrides.
  • Wire @cellix/local-dev as a devDependency in the root package so the verify script can import silent-runners.
  • Apply minor formatting tweaks and blank-line insertions in documentation files to satisfy linters/formatters.
packages/cellix/local-dev/tsconfig.vitest.json
packages/cellix/local-dev/vitest.config.ts
pnpm-workspace.yaml
package.json
readme.md
.snyk
knip.json
pnpm-lock.yaml

Possibly linked issues

  • #Silent Verify Runs - Create wrappers for scripts and enfornce native silence: PR implements silent runners, wrappers for knip/Snyk/tests, and a new verify pipeline exactly matching the issue goals.

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@jasonmorais jasonmorais marked this pull request as ready for review June 22, 2026 15:32
@jasonmorais jasonmorais requested a review from a team June 22, 2026 15:32
@jasonmorais jasonmorais requested a review from a team as a code owner June 22, 2026 15:32

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 2 issues, and left some high level feedback:

  • In AgentFormatter.onTestRunFinished you now return early when issueCount === 0, which removes the previous "All scenarios passed" messaging entirely; if that feedback is still desired, consider keeping a minimal success summary instead of returning silently.
  • The verify.ts script prints a custom failure line after runSilentCommandSequence has already replayed the failing step's stdout/stderr; consider including the step exit status in that replay or adjusting the extra message to avoid redundant-but-slightly-different failure context.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- In `AgentFormatter.onTestRunFinished` you now return early when `issueCount === 0`, which removes the previous "All scenarios passed" messaging entirely; if that feedback is still desired, consider keeping a minimal success summary instead of returning silently.
- The `verify.ts` script prints a custom failure line after `runSilentCommandSequence` has already replayed the failing step's stdout/stderr; consider including the step exit status in that replay or adjusting the extra message to avoid redundant-but-slightly-different failure context.

## Individual Comments

### Comment 1
<location path="build-pipeline/scripts/verify.ts" line_range="29-38" />
<code_context>
+	.addStep(sonarPullRequestAnalysis())
+	.addStep(sonarQualityGate());
+
+const isRunningAsCommand = import.meta.main;
+
+function runVerifyCommand(): void {
+	const result = cellixVerify.run();
+	if (result.status !== 0) {
+		process.stderr.write(`\nverify failed at step "${result.step.name}" (exit ${result.status})\n`);
+	} else {
+		process.stdout.write('verify passed\n');
+	}
+	process.exitCode = result.status;
+}
+
+if (isRunningAsCommand) {
+	runVerifyCommand();
+}
</code_context>
<issue_to_address>
**issue (bug_risk):** Using `import.meta.main` will never trigger in Node.js and prevents the script from running when executed directly.

In Node.js, `import.meta.main` is always `undefined`, so `runVerifyCommand()` never runs, even when this file is invoked as the entry script (e.g. via `pnpm run verify`). Use a Node-compatible check instead, such as comparing `import.meta.url` to `pathToFileURL(process.argv[1]).href`, or invoke `runVerifyCommand()` from a dedicated bootstrap file that always calls it.
</issue_to_address>

### Comment 2
<location path="package.json" line_range="52" />
<code_context>
 		"sonar:pr-windows": "for /f %i in ('node build-pipeline/scripts/get-pr-number.cjs') do set PR_NUMBER=%i && sonar-scanner -Dsonar.pullrequest.key=%PR_NUMBER% -Dsonar.pullrequest.branch=%BRANCH_NAME% -Dsonar.pullrequest.base=main",
 		"check-sonar": "node build-pipeline/scripts/check-sonar-quality-gate.cjs",
-		"verify": "pnpm run format:check && pnpm run test:arch && pnpm run test:coverage:merge && pnpm run test:e2e && pnpm run knip && pnpm run audit && pnpm run snyk && pnpm run sonar:pr && pnpm run check-sonar",
+		"verify": "node build-pipeline/scripts/verify.ts",
 		"knip": "knip",
 		"snyk": "pnpm run snyk:test && pnpm run snyk:code",
</code_context>
<issue_to_address>
**issue (bug_risk):** Running a `.ts` file directly with `node` will fail without a custom loader or precompiled JS.

This script now calls `node build-pipeline/scripts/verify.ts`, but Node can’t run TypeScript directly. Unless there’s an existing loader configured for this command (e.g. `tsx`, `ts-node`, or a custom `--loader`), it will fail at runtime. Consider either targeting the compiled `.js` file or running it via the configured TS runner instead of plain `node`.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread build-pipeline/scripts/verify.ts Outdated
Comment thread package.json Outdated
@jasonmorais

Copy link
Copy Markdown
Contributor Author

image For reference

@jasonmorais

Copy link
Copy Markdown
Contributor Author

@sourcery-ai review

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue

Prompt for AI Agents
Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path="build-pipeline/scripts/verify.ts" line_range="29-38" />
<code_context>
+	.addStep(sonarPullRequestAnalysis())
+	.addStep(sonarQualityGate());
+
+const isRunningAsCommand = import.meta.main;
+
+function runVerifyCommand(): void {
+	const result = cellixVerify.run();
+	if (result.status !== 0) {
+		process.stderr.write(`\nverify failed at step "${result.step.name}" (exit ${result.status})\n`);
+	} else {
+		process.stdout.write('verify passed\n');
+	}
+	process.exitCode = result.status;
+}
+
+if (isRunningAsCommand) {
+	runVerifyCommand();
+}
</code_context>
<issue_to_address>
**issue (bug_risk):** Using `import.meta.main` is likely non-portable and may prevent the verify script from running when invoked directly.

In Node’s current ESM implementation `import.meta.main` is not available, so `isRunningAsCommand` will be `undefined` and `runVerifyCommand()` will never run, even when you call `node build-pipeline/scripts/verify.ts` directly. To ensure the script actually executes as a CLI, switch to the common pattern of comparing `import.meta.url` with `pathToFileURL(process.argv[1]).href` (or another supported entry-point check).
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread build-pipeline/scripts/verify.ts Outdated
@jasonmorais

Copy link
Copy Markdown
Contributor Author

@sourcery-ai review

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue, and left some high level feedback:

  • The new verify.ts script prints verify passed on success, which slightly conflicts with the goal of keeping successful verification runs silent; consider making this success message optional (e.g., behind a flag) or removing it to keep the workflow fully quiet when healthy.
  • The runSilentCommand helper hardcodes a 64MB maxBuffer; if you expect some tools to produce larger output, consider exposing maxBuffer (or a similar option) on SilentCommandOptions so callers can tune this per command.
  • The construction of the cellixVerify sequence in verify.ts is fairly specific and could be reused elsewhere; consider extracting this builder into a small shared helper in @cellix/local-dev (or a nearby module) so local/CI verification flows can share the same sequence definition without duplication.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The new `verify.ts` script prints `verify passed` on success, which slightly conflicts with the goal of keeping successful verification runs silent; consider making this success message optional (e.g., behind a flag) or removing it to keep the workflow fully quiet when healthy.
- The `runSilentCommand` helper hardcodes a 64MB `maxBuffer`; if you expect some tools to produce larger output, consider exposing `maxBuffer` (or a similar option) on `SilentCommandOptions` so callers can tune this per command.
- The construction of the `cellixVerify` sequence in `verify.ts` is fairly specific and could be reused elsewhere; consider extracting this builder into a small shared helper in `@cellix/local-dev` (or a nearby module) so local/CI verification flows can share the same sequence definition without duplication.

## Individual Comments

### Comment 1
<location path="packages/cellix/local-dev/src/silent-runners/index.ts" line_range="177-186" />
<code_context>
+ * @param options - Sequence steps and optional process context.
+ * @returns The final successful step result or the first failing step result.
+ */
+export function runSilentCommandSequence(options: SilentCommandSequenceOptions): SilentCommandSequenceResult {
+	const { cwd, env, spawn, steps, streams } = options;
+	if (steps.length === 0) {
+		throw new Error('runSilentCommandSequence requires at least one step');
+	}
+
+	let lastResult: SilentCommandSequenceResult | undefined;
+
+	for (const step of steps) {
+		const context: CommandSequenceContext = { cwd, env, spawn, streams };
+		const result = step.output === 'inherit' ? runInheritedCommand(buildCommandOptions(step, context)) : runSilentCommand(buildCommandOptions(step, context));
+		lastResult = {
+			...result,
+			step,
+		};
+
+		if (result.status !== 0) {
+			return lastResult;
+		}
+	}
+
+	if (!lastResult) {
+		throw new Error('runSilentCommandSequence requires at least one step');
+	}
</code_context>
<issue_to_address>
**nitpick:** The `runSilentCommandSequence` empty-steps guard is duplicated and could be simplified.

The function throws `runSilentCommandSequence requires at least one step` both on the initial `steps.length === 0` check and again when `!lastResult` after the loop. Because of the initial check, the post-loop guard is unreachable and can be removed, or you can drop the initial check and rely solely on the `lastResult` check to cover the empty-steps case.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread packages/cellix/local-dev/src/silent-runners/index.ts Outdated
@jasonmorais jasonmorais changed the title initial commit for precommit silent verify script Jun 23, 2026
@jasonmorais

Copy link
Copy Markdown
Contributor Author

@sourcery-ai review

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The new verify runner currently writes verify passed on success, which slightly conflicts with the "silent on success" contract of the silent runners; consider omitting this message so local runs stay fully quiet when healthy.
  • In replayFailureOutput, the stderr replay concatenates the failure banner and the tool stderr without ensuring a trailing newline from the tool output; consider always terminating the combined message with a newline to avoid malformed prompts when the tool's stderr is not newline-terminated.
  • The Snyk helper snykIacScan takes targets as the first argument whereas the other Snyk helpers accept only an options object; consider making its signature consistent (e.g., snykIacScan({ targets, args, name })) to keep the public API uniform.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The new verify runner currently writes `verify passed` on success, which slightly conflicts with the "silent on success" contract of the silent runners; consider omitting this message so local runs stay fully quiet when healthy.
- In `replayFailureOutput`, the stderr replay concatenates the failure banner and the tool stderr without ensuring a trailing newline from the tool output; consider always terminating the combined message with a newline to avoid malformed prompts when the tool's stderr is not newline-terminated.
- The Snyk helper `snykIacScan` takes `targets` as the first argument whereas the other Snyk helpers accept only an options object; consider making its signature consistent (e.g., `snykIacScan({ targets, args, name })`) to keep the public API uniform.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

# Conflicts:
#	package.json
#	packages/cellix/serenity-framework/src/formatters/agent-formatter.ts
@jasonmorais

Copy link
Copy Markdown
Contributor Author

@sourcery-ai review

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue, and left some high level feedback:

Fixed security issues:

  • @opentelemetry/exporter-prometheus (link)

  • @vitest/browser (link)

  • form-data (link)

  • protobufjs (link)

  • vite (link)

  • ws (link)

  • Some of the step-definition and helper changes collapse previously multi-line logical conditions and actor.attemptsTo calls into single very long lines, which hurts readability; consider keeping these broken across lines to preserve clarity and easier diffs.

  • For runSilentCommandSequence failures you currently only show the raw command line in replayFailureOutput; consider also including the CommandSequenceStep.name so failures are easier to correlate with the higher-level verify steps (e.g. snyk:code, audit:prod).

Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- Some of the step-definition and helper changes collapse previously multi-line logical conditions and `actor.attemptsTo` calls into single very long lines, which hurts readability; consider keeping these broken across lines to preserve clarity and easier diffs.
- For `runSilentCommandSequence` failures you currently only show the raw command line in `replayFailureOutput`; consider also including the `CommandSequenceStep.name` so failures are easier to correlate with the higher-level verify steps (e.g. `snyk:code`, `audit:prod`).

## Individual Comments

### Comment 1
<location path="packages/cellix/local-dev/src/silent-runners/index.ts" line_range="283-293" />
<code_context>
+		...(step.args ? { args: step.args } : {}),
+		...(options.cwd ? { cwd: options.cwd } : {}),
+		...(options.env ? { env: options.env } : {}),
+		...(step.maxBuffer !== undefined ? { maxBuffer: step.maxBuffer } : options.maxBuffer !== undefined ? { maxBuffer: options.maxBuffer } : {}),
+		...(options.spawn ? { spawn: options.spawn } : {}),
+		...(options.streams ? { streams: options.streams } : {}),
</code_context>
<issue_to_address>
**suggestion:** Nested ternary for resolving maxBuffer hurts readability and is easy to misinterpret.

Consider replacing this nested ternary with clearer logic, e.g. compute `const maxBuffer = step.maxBuffer ?? options.maxBuffer;` and then conditionally spread `{ maxBuffer }`, or use straightforward `if` branches. This makes the precedence explicit and reduces the chance of mistakes if more options are added later.

```suggestion
function buildCommandOptions(step: CommandSequenceStep, options: CommandSequenceContext): SilentCommandOptions {
	const maxBuffer = step.maxBuffer ?? options.maxBuffer;

	return {
		...(step.args ? { args: step.args } : {}),
		...(options.cwd ? { cwd: options.cwd } : {}),
		...(options.env ? { env: options.env } : {}),
		...(maxBuffer !== undefined ? { maxBuffer } : {}),
		...(options.spawn ? { spawn: options.spawn } : {}),
		...(options.streams ? { streams: options.streams } : {}),
		command: step.command,
	};
}
```
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread packages/cellix/local-dev/src/silent-runners/index.ts
# Conflicts:
#	pnpm-lock.yaml
#	pnpm-workspace.yaml
# Conflicts:
#	packages/cellix/local-dev/README.md
#	packages/cellix/local-dev/manifest.md
#	packages/cellix/local-dev/package.json
#	packages/cellix/local-dev/src/index.test.ts
#	packages/cellix/local-dev/src/index.ts
#	packages/cellix/local-dev/tsconfig.vitest.json
#	packages/cellix/local-dev/vitest.config.ts
#	pnpm-lock.yaml
#	pnpm-workspace.yaml
@jasonmorais

Copy link
Copy Markdown
Contributor Author

@sourcery-ai review

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!

Fixed security issues:

  • @opentelemetry/exporter-prometheus (link)
  • @vitest/browser (link)
  • form-data (link)
  • protobufjs (link)
  • vite (link)
  • ws (link)

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@jasonmorais

Copy link
Copy Markdown
Contributor Author

@sourcery-ai review

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue

Fixed security issues:

  • @opentelemetry/exporter-prometheus (link)
  • @vitest/browser (link)
  • form-data (link)
  • protobufjs (link)
  • vite (link)
  • ws (link)
Prompt for AI Agents
Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path="packages/cellix/local-dev/src/silent-runners/index.ts" line_range="297-301" />
<code_context>
+	};
+}
+
+function toSilentCommandResult(result: SpawnSyncReturns<string>): SilentCommandResult {
+	return {
+		...(result.error ? { error: result.error } : {}),
+		signal: result.signal,
+		status: result.status ?? 1,
+		stderr: result.stderr ?? '',
+		stdout: result.stdout ?? '',
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Clarify handling of signal-terminated processes so status and messaging stay consistent.

For signal-terminated children, `result.status` is `null` and `result.signal` is set. Forcing `status` to `1` here will cause `replayFailureOutput` to print `exit 1`, losing the signal context and giving a misleading reason for failure. Consider either mapping the signal to a conventional status while still surfacing the signal in the failure output, or leaving `status` null and special‑casing the message (e.g. `Command failed (signal SIGTERM)`).

Suggested implementation:

```typescript
function toSilentCommandResult(result: SpawnSyncReturns<string>): SilentCommandResult {
	const status =
		result.status !== null && result.status !== undefined
			? result.status
			: result.signal
				? null
				: 1;

	return {
		...(result.error ? { error: result.error } : {}),
		signal: result.signal,
		status,
		stderr: result.stderr ?? '',
		stdout: result.stdout ?? '',
	};
}

```

To fully implement the suggestion:
1. Update the `SilentCommandResult` type (where it is defined) so that `status` can be `number | null` instead of just `number`, if it is currently restricted to `number`.
2. In the code that prints or logs failures (e.g. the `replayFailureOutput` helper referenced in your comment), special‑case the messaging:
   - If `result.signal` is set and `result.status` is `null`, render something like: `Command failed (signal SIGTERM)` instead of `exit 1`.
   - Otherwise, keep the existing `exit <status>` message for non‑signal failures.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment on lines +297 to +301
function toSilentCommandResult(result: SpawnSyncReturns<string>): SilentCommandResult {
return {
...(result.error ? { error: result.error } : {}),
signal: result.signal,
status: result.status ?? 1,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (bug_risk): Clarify handling of signal-terminated processes so status and messaging stay consistent.

For signal-terminated children, result.status is null and result.signal is set. Forcing status to 1 here will cause replayFailureOutput to print exit 1, losing the signal context and giving a misleading reason for failure. Consider either mapping the signal to a conventional status while still surfacing the signal in the failure output, or leaving status null and special‑casing the message (e.g. Command failed (signal SIGTERM)).

Suggested implementation:

function toSilentCommandResult(result: SpawnSyncReturns<string>): SilentCommandResult {
	const status =
		result.status !== null && result.status !== undefined
			? result.status
			: result.signal
				? null
				: 1;

	return {
		...(result.error ? { error: result.error } : {}),
		signal: result.signal,
		status,
		stderr: result.stderr ?? '',
		stdout: result.stdout ?? '',
	};
}

To fully implement the suggestion:

  1. Update the SilentCommandResult type (where it is defined) so that status can be number | null instead of just number, if it is currently restricted to number.
  2. In the code that prints or logs failures (e.g. the replayFailureOutput helper referenced in your comment), special‑case the messaging:
    • If result.signal is set and result.status is null, render something like: Command failed (signal SIGTERM) instead of exit 1.
    • Otherwise, keep the existing exit <status> message for non‑signal failures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants