Skip to content

Commit 3babcf6

Browse files
feat(setup): add --check and --remove flags with dry-run + edit previews (#99)
* feat(setup): add --check and --remove flags with dry-run + edit previews `setup` previously only added its install hook. This adds two inverse modes, both honoring the existing --dry-run / --yes / --json flags and printing the exact set of proposed edits before touching disk: - `setup --check`: read-only verification. Exits 0 only when every package.json is configured for socket-patch and none failed to parse; otherwise exit 1. - `setup --remove`: reverts the lifecycle scripts setup added. Full revert — emptied postinstall/dependencies keys are deleted, an emptied `scripts` object is dropped, sibling scripts and key order are preserved. Scope is npm-family only, matching the surface `setup` already configures; check/remove operate purely on package.json. Core: `remove_socket_patch_from_script` + `remove_package_json{_object,_content}` in detect.rs (exact inverse of generate_updated_script, reusing the same non-object guards) and `remove_package_json` in update.rs. Tests: core unit tests; setup_invariants check/remove flows; cli_parse_setup flag + conflict coverage; and the setup-matrix driver now does a non-destructive check->remove->check round-trip after install/verify, asserted for npm-family cases (untagged elsewhere, consistent with the non-blocking BASELINE GAP convention). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * test(setup-matrix): verify check/remove behaviorally via install sequences The previous round-trip inspected package.json (grepped for socket-patch) and flag state. Replace it with a behavioral verification driven by real (setup)·(package-manager install) cycles, for npm-family cases that run setup: install -> patch NOT applied (no hook yet) setup --check -> fails (not configured) setup --yes; setup --check -> passes (configured) reinstall -> patch applied (hook fires; the main actual_applied) setup --remove --yes; setup --check -> fails (reverted) reinstall -> patch NOT applied (hook gone) A clean `rm -rf node_modules` precedes each observation so the lifecycle hook acts on a pristine package. run-case.sh factors out do_install/verify_applied/ reset_modules; emit_result drops `remove_clean` and adds applied_before_setup, applied_after_remove, and check_before_setup_exit. The harness round_trip_failure asserts the patch bookends are not-applied and check goes false->true->false. Non-npm / no-setup cases keep the simple single-install flow unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * test(setup-matrix): verify patches by RUNNING the code, not grepping the file The matrix decided "applied" by scanning the patched file for the marker string. Now it actually EXECUTES the patched module with the ecosystem's standard runner and checks for the marker in the runtime output: npm/yarn/pnpm -> node <file> bun -> bun <file> deno -> deno run pip -> ./venv/bin/python <file> uv -> uv run python poetry/pdm/hatch -> *run python To make the patched code observable at runtime, the committed blob is now runnable: `console.log("MARKER")` for JS, `print("MARKER")` for Python. Compiled/loaded ecosystems we can't execute (cargo/go/maven/nuget/gem/ composer) keep an inert comment and fall back to reading the file (`cat`), preserving today's behavior for those gaps. verify_applied() runs every resolved copy of the file (covers hoisting, the pnpm store, and workspace/monorepo member dirs) and ORs the results. Also fixes a parallel-test race: the blob was written to a fixed /tmp/sm_blob, so concurrent package-manager test fns clobbered each other's fixture (afterHash mismatch -> apply no-op). Each case now uses its own mktemp file. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 5b4e513 commit 3babcf6

7 files changed

Lines changed: 1280 additions & 65 deletions

File tree

0 commit comments

Comments
 (0)