diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9c2ffe0e87b..96ab35a297e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -309,8 +309,6 @@ jobs: needs: [docs-scope, changed-scope] if: needs.docs-scope.outputs.docs_only != 'true' && needs.changed-scope.outputs.run_node == 'true' runs-on: blacksmith-16vcpu-ubuntu-2404 - env: - PLUGIN_EXTENSION_BOUNDARY_ENFORCE_AFTER: "2026-03-24T05:00:00Z" steps: - name: Checkout uses: actions/checkout@v6 @@ -323,41 +321,14 @@ jobs: install-bun: "false" use-sticky-disk: "false" - - name: Run plugin extension boundary guard with grace period - shell: bash - run: | - set -euo pipefail - - tmp_output="$(mktemp)" - if pnpm run lint:plugins:no-extension-imports >"$tmp_output" 2>&1; then - cat "$tmp_output" - rm -f "$tmp_output" - exit 0 - fi - - status=$? - cat "$tmp_output" - rm -f "$tmp_output" - - now_epoch="$(date -u +%s)" - enforce_epoch="$(date -u -d "$PLUGIN_EXTENSION_BOUNDARY_ENFORCE_AFTER" +%s)" - fix_instructions="If you are an LLM agent fixing this: run 'pnpm run lint:plugins:no-extension-imports', remove src/plugins/** -> extensions/** imports where possible, and if the remaining inventory is intentional for now update test/fixtures/plugin-extension-import-boundary-inventory.json in the same PR." - - if [ "$now_epoch" -lt "$enforce_epoch" ]; then - echo "::warning::Plugin extension import boundary violations are temporarily allowed until ${PLUGIN_EXTENSION_BOUNDARY_ENFORCE_AFTER}. This grace period ends in one week from the rollout date. After that timestamp this job will fail unless the inventory is reduced or the baseline is intentionally updated. ${fix_instructions}" - exit 0 - fi - - echo "::error::Plugin extension import boundary grace period ended at ${PLUGIN_EXTENSION_BOUNDARY_ENFORCE_AFTER}. ${fix_instructions}" - exit "$status" + - name: Run plugin extension boundary guard + run: pnpm run lint:plugins:no-extension-imports web-search-provider-boundary: name: "web-search-provider-boundary" needs: [docs-scope, changed-scope] if: needs.docs-scope.outputs.docs_only != 'true' && needs.changed-scope.outputs.run_node == 'true' runs-on: blacksmith-16vcpu-ubuntu-2404 - env: - WEB_SEARCH_PROVIDER_BOUNDARY_ENFORCE_AFTER: "2026-03-24T05:00:00Z" steps: - name: Checkout uses: actions/checkout@v6 @@ -370,41 +341,14 @@ jobs: install-bun: "false" use-sticky-disk: "false" - - name: Run web search provider boundary guard with grace period - shell: bash - run: | - set -euo pipefail - - tmp_output="$(mktemp)" - if pnpm run lint:web-search-provider-boundaries >"$tmp_output" 2>&1; then - cat "$tmp_output" - rm -f "$tmp_output" - exit 0 - fi - - status=$? - cat "$tmp_output" - rm -f "$tmp_output" - - now_epoch="$(date -u +%s)" - enforce_epoch="$(date -u -d "$WEB_SEARCH_PROVIDER_BOUNDARY_ENFORCE_AFTER" +%s)" - fix_instructions="If you are an LLM agent fixing this: run 'pnpm run lint:web-search-provider-boundaries', move provider-specific web-search logic out of core, and if the remaining inventory is intentional for now update test/fixtures/web-search-provider-boundary-inventory.json in the same PR." - - if [ "$now_epoch" -lt "$enforce_epoch" ]; then - echo "::warning::Web search provider boundary violations are temporarily allowed until ${WEB_SEARCH_PROVIDER_BOUNDARY_ENFORCE_AFTER}. This grace period ends in one week from the rollout date. After that timestamp this job will fail unless the inventory is reduced or the baseline is intentionally updated. ${fix_instructions}" - exit 0 - fi - - echo "::error::Web search provider boundary grace period ended at ${WEB_SEARCH_PROVIDER_BOUNDARY_ENFORCE_AFTER}. ${fix_instructions}" - exit "$status" + - name: Run web search provider boundary guard + run: pnpm run lint:web-search-provider-boundaries extension-src-outside-plugin-sdk-boundary: name: "extension-src-outside-plugin-sdk-boundary" needs: [docs-scope, changed-scope] if: needs.docs-scope.outputs.docs_only != 'true' && needs.changed-scope.outputs.run_node == 'true' runs-on: blacksmith-16vcpu-ubuntu-2404 - env: - EXTENSION_PLUGIN_SDK_BOUNDARY_ENFORCE_AFTER: "2026-03-24T05:00:00Z" steps: - name: Checkout uses: actions/checkout@v6 @@ -417,41 +361,14 @@ jobs: install-bun: "false" use-sticky-disk: "false" - - name: Run extension src boundary guard with grace period - shell: bash - run: | - set -euo pipefail - - tmp_output="$(mktemp)" - if pnpm run lint:extensions:no-src-outside-plugin-sdk >"$tmp_output" 2>&1; then - cat "$tmp_output" - rm -f "$tmp_output" - exit 0 - fi - - status=$? - cat "$tmp_output" - rm -f "$tmp_output" - - now_epoch="$(date -u +%s)" - enforce_epoch="$(date -u -d "$EXTENSION_PLUGIN_SDK_BOUNDARY_ENFORCE_AFTER" +%s)" - fix_instructions="If you are an LLM agent fixing this: run 'pnpm run lint:extensions:no-src-outside-plugin-sdk', move extension imports off core src paths and onto src/plugin-sdk/**, and if the remaining inventory is intentional for now update test/fixtures/extension-src-outside-plugin-sdk-inventory.json in the same PR." - - if [ "$now_epoch" -lt "$enforce_epoch" ]; then - echo "::warning::Extension src boundary violations are temporarily allowed until ${EXTENSION_PLUGIN_SDK_BOUNDARY_ENFORCE_AFTER}. This grace period ends in one week from the rollout date. After that timestamp this job will fail unless the inventory is reduced or the baseline is intentionally updated. ${fix_instructions}" - exit 0 - fi - - echo "::error::Extension src boundary grace period ended at ${EXTENSION_PLUGIN_SDK_BOUNDARY_ENFORCE_AFTER}. ${fix_instructions}" - exit "$status" + - name: Run extension src boundary guard + run: pnpm run lint:extensions:no-src-outside-plugin-sdk extension-plugin-sdk-internal-boundary: name: "extension-plugin-sdk-internal-boundary" needs: [docs-scope, changed-scope] if: needs.docs-scope.outputs.docs_only != 'true' && needs.changed-scope.outputs.run_node == 'true' runs-on: blacksmith-16vcpu-ubuntu-2404 - env: - EXTENSION_PLUGIN_SDK_INTERNAL_ENFORCE_AFTER: "2026-03-24T05:00:00Z" steps: - name: Checkout uses: actions/checkout@v6 @@ -464,33 +381,8 @@ jobs: install-bun: "false" use-sticky-disk: "false" - - name: Run extension plugin-sdk-internal guard with grace period - shell: bash - run: | - set -euo pipefail - - tmp_output="$(mktemp)" - if pnpm run lint:extensions:no-plugin-sdk-internal >"$tmp_output" 2>&1; then - cat "$tmp_output" - rm -f "$tmp_output" - exit 0 - fi - - status=$? - cat "$tmp_output" - rm -f "$tmp_output" - - now_epoch="$(date -u +%s)" - enforce_epoch="$(date -u -d "$EXTENSION_PLUGIN_SDK_INTERNAL_ENFORCE_AFTER" +%s)" - fix_instructions="If you are an LLM agent fixing this: run 'pnpm run lint:extensions:no-plugin-sdk-internal', remove extension imports of src/plugin-sdk-internal/** in favor of src/plugin-sdk/**, and if the remaining inventory is intentional for now update test/fixtures/extension-plugin-sdk-internal-inventory.json in the same PR." - - if [ "$now_epoch" -lt "$enforce_epoch" ]; then - echo "::warning::Extension plugin-sdk-internal boundary violations are temporarily allowed until ${EXTENSION_PLUGIN_SDK_INTERNAL_ENFORCE_AFTER}. This grace period ends in one week from the rollout date. After that timestamp this job will fail unless the inventory is reduced or the baseline is intentionally updated. ${fix_instructions}" - exit 0 - fi - - echo "::error::Extension plugin-sdk-internal boundary grace period ended at ${EXTENSION_PLUGIN_SDK_INTERNAL_ENFORCE_AFTER}. ${fix_instructions}" - exit "$status" + - name: Run extension plugin-sdk-internal guard + run: pnpm run lint:extensions:no-plugin-sdk-internal build-smoke: name: "build-smoke" diff --git a/package.json b/package.json index e3dfda5cd75..5087d9bdf72 100644 --- a/package.json +++ b/package.json @@ -511,7 +511,7 @@ "build:plugin-sdk:dts": "tsc -p tsconfig.plugin-sdk.dts.json || true", "build:strict-smoke": "pnpm canvas:a2ui:bundle && node scripts/tsdown-build.mjs && node scripts/runtime-postbuild.mjs && pnpm build:plugin-sdk:dts", "canvas:a2ui:bundle": "bash scripts/bundle-a2ui.sh", - "check": "pnpm check:host-env-policy:swift && pnpm format:check && pnpm tsgo && pnpm plugin-sdk:check-exports && pnpm lint && pnpm lint:tmp:no-random-messaging && pnpm lint:tmp:channel-agnostic-boundaries && pnpm lint:tmp:no-raw-channel-fetch && pnpm lint:agent:ingress-owner && pnpm lint:plugins:no-register-http-handler && pnpm lint:plugins:no-monolithic-plugin-sdk-entry-imports && pnpm lint:plugins:no-extension-src-imports && pnpm lint:plugins:no-extension-test-core-imports && pnpm lint:webhook:no-low-level-body-read && pnpm lint:auth:no-pairing-store-group && pnpm lint:auth:pairing-account-scope", + "check": "pnpm check:host-env-policy:swift && pnpm format:check && pnpm tsgo && pnpm plugin-sdk:check-exports && pnpm lint && pnpm lint:tmp:no-random-messaging && pnpm lint:tmp:channel-agnostic-boundaries && pnpm lint:tmp:no-raw-channel-fetch && pnpm lint:agent:ingress-owner && pnpm lint:plugins:no-register-http-handler && pnpm lint:plugins:no-monolithic-plugin-sdk-entry-imports && pnpm lint:plugins:no-extension-src-imports && pnpm lint:plugins:no-extension-test-core-imports && pnpm lint:plugins:no-extension-imports && pnpm lint:extensions:no-src-outside-plugin-sdk && pnpm lint:extensions:no-plugin-sdk-internal && pnpm lint:web-search-provider-boundaries && pnpm lint:webhook:no-low-level-body-read && pnpm lint:auth:no-pairing-store-group && pnpm lint:auth:pairing-account-scope", "check:docs": "pnpm format:docs:check && pnpm lint:docs && pnpm docs:check-i18n-glossary && pnpm docs:check-links", "check:host-env-policy:swift": "node scripts/generate-host-env-security-policy-swift.mjs --check", "check:loc": "node --import tsx scripts/check-ts-max-loc.ts --max 500",