Diagnosis
All 8 npm-based jobs on master (typecheck, lint, test, web-build, skip-policy, dependency-audit, write-audit-record, signed-receipt-smoke) fail at the npm ci step on commit fbf2ac4 ("chore: force deploy") with:
npm error code EUSAGE
npm error `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync.
npm error Missing: trustsignal-setup@0.1.2 from lock file
package.json was updated to depend on the workspace package trustsignal-setup@0.1.2 but package-lock.json was not regenerated. Every CI job that runs npm ci fails before any actual work happens — that's why the cascade hit 8 jobs at once.
CodeQL (Analyze (javascript-typescript), Analyze (python)) and rust-build are green because they don't depend on npm ci.
Fix
git checkout master
git pull
rm -rf node_modules
npm install # regenerates package-lock.json with trustsignal-setup@0.1.2
git add package-lock.json
git commit -m "chore: sync package-lock.json with workspace deps"
git push
Side effect
The 8 open dependabot PRs (#128, #130, #154, #155, #161, #162, #163, #164, #165) will continue to fail CI until this is fixed — they all rebase on the broken master and inherit the lockfile drift. Do not merge any of them until the lockfile is back in sync.
Also worth noting separately:
TrustSignal-App has weekly Snyk Code + Scorecards failures going back to 2026-04-13 (not blocking, but the badges look bad if a prospect checks).MA-AT Cloud Build is failing at the build step on the latest push to main (Google Cloud project maat-trustsignal, build a53e647a-a1aa-429b-8dc3-6049d1579c8a). Logs are in the GCP console, not GitHub — needs a separate look.
Diagnosis
All 8 npm-based jobs on master (typecheck, lint, test, web-build, skip-policy, dependency-audit, write-audit-record, signed-receipt-smoke) fail at the
npm cistep on commitfbf2ac4("chore: force deploy") with:package.jsonwas updated to depend on the workspace packagetrustsignal-setup@0.1.2butpackage-lock.jsonwas not regenerated. Every CI job that runsnpm cifails before any actual work happens — that's why the cascade hit 8 jobs at once.CodeQL (
Analyze (javascript-typescript),Analyze (python)) andrust-buildare green because they don't depend onnpm ci.Fix
Side effect
The 8 open dependabot PRs (#128, #130, #154, #155, #161, #162, #163, #164, #165) will continue to fail CI until this is fixed — they all rebase on the broken master and inherit the lockfile drift. Do not merge any of them until the lockfile is back in sync.
Also worth noting separately:
TrustSignal-Apphas weekly Snyk Code + Scorecards failures going back to 2026-04-13 (not blocking, but the badges look bad if a prospect checks).MA-ATCloud Build is failing at the build step on the latest push to main (Google Cloud projectmaat-trustsignal, builda53e647a-a1aa-429b-8dc3-6049d1579c8a). Logs are in the GCP console, not GitHub — needs a separate look.