chore(dx): unify local and CI verify pipeline

[ndycode]

Summary

• add canonical verify scripts in package scripts
• route CI test matrix to one command: npm run verify:ci
• align contributor docs and PR validation template to the verify workflow

What changed

• package scripts:
  • verify:repo
  • verify:quality
  • verify
  • verify:ci
• CI workflow:
  • replace discrete repo-hygiene, audit, lockfile, typecheck, coverage, and build steps in matrix test job with npm run verify:ci
  • keep non-blocking npm run audit:all
• docs and templates:
  • CONTRIBUTING.md local gate now centered on npm run verify
  • docs/development/TESTING.md updated with verify commands and revised local gate
  • PR template validation updated to verify-first flow while preserving component gate references

Validation evidence

• npm ci
• npm run verify
• npm run verify:ci
• npm run test -- test/documentation.test.ts

Risk and rollback

• risk level: low
• no runtime product behavior changes
• rollback: revert commit fd53da6

note: greptile review for oc-chatgpt-multi-auth. cite files like lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.

Greptile Summary

this pr unifies the local and CI verification pipeline by introducing four composed verify:* scripts and routing the CI test matrix to a single npm run verify:ci step. it also adds windows-latest (Node 20.x) to the CI matrix, which is a meaningful improvement for a project that explicitly targets windows desktop environments.

key observations:

• the verify / verify:ci split is architecturally sound: verify:ci intentionally omits lint since the CI lint job handles it separately
• the PR template asks contributors to check off both npm run verify and npm run verify:ci locally, which is redundant — verify is a strict superset of verify:ci, so if the former passes, the latter is guaranteed to pass
• the documentation test pins exact script strings as a contract guard, which is good, but does not assert the corresponding ci.yml wiring despite the test name claiming it covers CI alignment
• the windows-latest runner addition is not accompanied by any documentation of Windows filesystem concurrency safety (EPERM/EBUSY handling) for the scripts invoked in verify:repo, which is required by project policy for every change touching the verification pipeline on windows

Confidence Score: 4/5

• safe to merge — no runtime behavior changes; the verify script composition is correct and the windows CI addition is net positive.
• all changes are developer tooling and docs with no impact on runtime product behavior. the main concerns are (1) a redundant checklist item in the PR template that adds contributor confusion but causes no breakage, (2) a documentation test that could be tighter, and (3) missing Windows concurrency safety documentation per project policy. none of these block correctness, but the policy gap should be addressed before merging.
• .github/pull_request_template.md (redundant verify:ci step) and .github/workflows/ci.yml (missing Windows concurrency safety documentation per project policy).

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	collapses 6 discrete CI steps into npm run verify:ci; adds windows-latest runner for Node 20.x — good platform coverage, but no documentation of Windows filesystem concurrency safety for the scripts invoked.
package.json	adds 4 new verify scripts with a clean, consistent composition; verify:ci intentionally omits lint (handled by separate CI job); sequential chaining is safe for single-process runs.
.github/pull_request_template.md	updated validation checklist includes both verify and verify:ci, which is redundant locally since verify is a strict superset; may confuse contributors about what they actually need to run.
test/documentation.test.ts	adds script contract test that pins exact script strings — solid guard against drift; missing assertion against ci.yml content despite the test name claiming CI wiring coverage.
CONTRIBUTING.md	local gate docs updated cleanly; clearly documents component gates for triage; no issues found.
docs/development/TESTING.md	verify commands added at the top of core commands section; recommended gate simplified to two steps; consistent with CONTRIBUTING.md.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Developer runs local gate] --> B[npm run verify]
    B --> C[npm run lint]
    B --> D[npm run verify:repo]
    B --> E[npm run verify:quality]
    D --> D1[clean:repo:check]
    D --> D2[audit:ci]
    D --> D3[test lockfile-version-floor.test.ts]
    E --> E1[typecheck]
    E --> E2[coverage = build + vitest --coverage]

    F[CI: test matrix job] --> G[npm run verify:ci]
    G --> D
    G --> E

    H[CI: lint job - ubuntu only] --> I[npm run lint]

    J[CI matrix] --> K[ubuntu-latest Node 20.x]
    J --> L[ubuntu-latest Node 22.x]
    J --> M[windows-latest Node 20.x]
    K --> G
    L --> G
    M --> G

    style B fill:#22c55e,color:#fff
    style G fill:#3b82f6,color:#fff
    style M fill:#f59e0b,color:#fff

Loading

_{Last reviewed commit: 83a683e}

Context used:

• Rule from dashboard - What: Every code change must explain how it defends against Windows filesystem concurrency bugs and ... (source)

[coderabbitai]

📝 Walkthrough

Walkthrough

pr consolidates verification steps into composite npm scripts (verify, verify:repo, verify:quality, verify:ci) and updates ci workflow, contributing guide, and testing docs to reference these scripts instead of individual lint/typecheck/test/build commands. changes touch ci wiring, docs, package scripts, and tests. (≤50 words)

Changes

Cohort / File(s)	Summary
ci & pr templates lib/.github/pull_request_template.md:1, lib/.github/workflows/ci.yml:1	validation checklist updated to use verify/verify:ci; test job matrix now includes matrix.os (adds windows-latest), and multiple explicit steps (repo hygiene, ci-policy, lockfile floor guard) replaced by a single npm run verify:ci step.
docs & contributor guidance lib/CONTRIBUTING.md:1, lib/docs/development/TESTING.md:1	replaced local gate instructions with npm run verify and npm run verify:ci examples; added verify core commands and streamlined recommended pre-PR commands.
package scripts lib/package.json:1	added composite scripts: verify:repo, verify:quality, verify, verify:ci wiring existing tasks (lint, repo checks, typecheck, coverage, ci audits) into umbrella commands; no existing scripts removed.
tests test/documentation.test.ts:1	new assertions validating package script strings and presence of verify:repo/verify:quality across generated PR body, contributing docs, and governance templates; expands documentation-related expectations.

notes requiring attention: missing explicit regression tests for runtime behavior of composed scripts (lib/package.json:1), windows-specific run validation for the new matrix entry (lib/.github/workflows/ci.yml:1), and concurrency/race conditions when multiple verify tasks run in parallel or on shared resources (see test/documentation.test.ts:1).

Sequence Diagram(s)

sequenceDiagram
    participant developer as developer
    participant repo as repo
    participant ci as ci runner
    participant npm as npm scripts
    participant checks as verify steps

    developer->>repo: open PR (references verify)
    repo->>ci: trigger workflow (matrix.os)
    ci->>npm: run "npm run verify:ci"
    npm->>checks: run verify:repo (repo hygiene, audit, lockfile)
    npm->>checks: run verify:quality (typecheck, coverage)
    checks-->>ci: step results
    ci-->>repo: report status (pass/fail)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	pr description follows the template structure with summary, what changed, validation evidence, and risk/rollback, but lacks explicit documentation of windows filesystem concurrency safety per project policy and contains a redundant verify:ci checklist item.	add explicit section documenting windows fs retry behavior, token redaction in logs, and pointer to regression tests covering eperm/ebusy race conditions. remove redundant 'npm run verify:ci' from local validation checklist since verify is a strict superset.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	title follows conventional commits format (chore(dx): ...), uses lowercase imperative, and is 45 chars well under 72-char limit. accurately summarizes the main change: unifying local and CI verify pipelines.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dx/pr1-verify-pipeline

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/development/TESTING.md (1)

27-34: ⚠️ Potential issue | 🟠 Major

testing docs are still partially out of sync with the verify workflow.

Line [27]-Line [34] keeps legacy component commands and does not map clearly to verify:repo/verify:quality. Line [49]-Line [51] also needs an explicit migration/upgrade-note reminder for this workflow shift.

as per coding guidelines, "docs/**: keep README, SECURITY, and docs consistent with actual CLI flags and workflows. whenever behavior changes, require updated upgrade notes and mention new npm scripts."

ref: lib/docs/development/TESTING.md:27-34, lib/docs/development/TESTING.md:49-51

Also applies to: 49-51

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/development/TESTING.md` around lines 27 - 34, Update the TESTING.md
section that lists legacy component commands to replace or map those npm scripts
to the new verify scripts: remove or annotate the old "npm run typecheck / lint
/ test / build" block and show the new canonical commands "npm run verify:repo"
and "npm run verify:quality" (and mention any flags they accept) so the docs
match the CLI/workflow; additionally add an explicit migration/upgrade note in
the later section (the block referenced around lines 49–51) describing the
workflow shift and instructing users how to transition from the old component
scripts to the new verify:repo/verify:quality scripts.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/pull_request_template.md:
- Line 14: The PR template's triage checklist item "- [ ] if triaging failures,
validated component gates: `npm run lint`, `npm run typecheck`, `npm test`, `npm
run build`" is missing the verify step; update that checklist entry to include
the verify/repo hygiene commands by adding `npm run verify:repo` (or an explicit
sublist of the repo hygiene commands run by that script) so triage runners must
run the repo verification (audit/lockfile/hygiene) before marking the gate as
validated.

In @.github/workflows/ci.yml:
- Around line 31-32: The CI currently only runs the verify pipeline on ubuntu,
leaving Windows-specific fs edge cases untested; add a Windows runner to the
workflow by expanding the job matrix or adding a parallel job that uses runs-on:
windows-latest and executes the same step that runs "npm run verify:ci" (the
existing "Run CI verify pipeline" step) so the verify script is invoked on
Windows to catch ebusy/eperm and file-write race behaviors; ensure any
OS-specific environment setup or path normalization used elsewhere in the
workflow is duplicated for the Windows job so the verify script runs with
equivalent environment.

In `@CONTRIBUTING.md`:
- Around line 62-66: The failure-triage instructions under the "if triaging
failures, run component gates directly" section are incomplete—add the missing
repo-level checks so the local triage mirrors CI: include the repo-hygiene,
audit, and lockfile-floor commands (or replace the list with a single reference
to the higher-level scripts verify:repo or verify:quality) and update the bullet
list for failure-triage (or the heading where those commands appear) so it runs
the same repo-level gates used by CI.

In `@package.json`:
- Around line 64-67: Add a regression test that asserts the package.json
"scripts" contract (verify, verify:repo, verify:quality, verify:ci) remains
unchanged: update or create a test (e.g., in test/documentation.test.ts) that
reads lib/package.json and compares the scripts object entries for the keys
"verify", "verify:repo", "verify:quality", and "verify:ci" against the expected
command strings (from lines shown), failing if any link is altered so docs/CI
script wiring cannot silently desync. Ensure the test references the
package.json path and the exact script keys
("verify","verify:repo","verify:quality","verify:ci") so future edits trigger a
failing test.

---

Outside diff comments:
In `@docs/development/TESTING.md`:
- Around line 27-34: Update the TESTING.md section that lists legacy component
commands to replace or map those npm scripts to the new verify scripts: remove
or annotate the old "npm run typecheck / lint / test / build" block and show the
new canonical commands "npm run verify:repo" and "npm run verify:quality" (and
mention any flags they accept) so the docs match the CLI/workflow; additionally
add an explicit migration/upgrade note in the later section (the block
referenced around lines 49–51) describing the workflow shift and instructing
users how to transition from the old component scripts to the new
verify:repo/verify:quality scripts.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

Run ID: 2f5abb7e-a6c0-4e72-ab52-cccab920d91d

📥 Commits

Reviewing files that changed from the base of the PR and between d36b04f and fd53da6.

📒 Files selected for processing (5)

• .github/pull_request_template.md
• .github/workflows/ci.yml
• CONTRIBUTING.md
• docs/development/TESTING.md
• package.json

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Greptile Review

🧰 Additional context used

📓 Path-based instructions (1)

docs/**

⚙️ CodeRabbit configuration file

keep README, SECURITY, and docs consistent with actual CLI flags and workflows. whenever behavior changes, require updated upgrade notes and mention new npm scripts.

Files:

• docs/development/TESTING.md

[ndycode]

@coderabbitai review

Re-triggering review to clear the transient rate-limit status check failure.

[coderabbitai]

@ndycode: re-triggering the review now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[ndycode]

Re-requesting CodeRabbit review: the current failure is CodeRabbit: Review rate limit exceeded while other checks are green.

[ndycode]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[ndycode]

Follow-up tracking: external blocker recorded in #44.

Current failing context remains:

• CodeRabbit: Review rate limit exceeded

Actions already taken:

• re-triggered @coderabbitai review
• verified review threads are resolved

Next required step is external quota reset/increase, then rerun CodeRabbit.

[coderabbitai]

@ndycode: acknowledged — rate limit blocker is an infrastructure constraint on my end, not a code issue. re-triggering now to pick up the latest state.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.