Fix renovate config

.editorconfig

@@ -0,0 +1,15 @@
+# EditorConfig helps maintain consistent coding styles
+# https://editorconfig.org
+
+root = true
+
+[*]
+indent_style = space
+indent_size = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.{ts,js,mts,mjs,json,jsonc}]
+indent_size = 2

.github/renovate.json

@@ -23,7 +23,7 @@
     },
     {
       "description": "Do not update sccache",
-      "matchPackageNames": ["mozilla/sccache", "sccache"],
+      "matchPackageNames": ["mozilla/sccache", "sccache", "github:mozilla/sccache"],
       "enabled": false
     },
     {
@@ -51,6 +51,7 @@
   "customManagers": [
     {
       "customType": "regex",
+      "description": "Update mise itself in .mise-version",
       "managerFilePatterns": ["/^\\.mise-version$/"],
       "matchStrings": ["(?<currentValue>v\\d+\\.\\d+\\.\\d+)"],
       "depNameTemplate": "jdx/mise",
@@ -69,23 +70,15 @@
     },
     {
       "customType": "regex",
-      "description": "Update tools in mise.toml using github: shorthand",
-      "fileMatch": ["^mise\\.toml$"],
+      "description": "Update tools in mise.toml",
+      "managerFilePatterns": ["/^mise\\.toml$/"],
       "matchStrings": [
-        "\"github:(?<lookupName>[^/]+/[^\"@/\\s]+)\"\\s*=\\s*\"v?(?<currentValue>[^\"@\\s]+)\"",
-        "\\[tools\\.\"github:(?<lookupName>[^/]+/[^\"@/\\s]+)\"\\](?:(?:(?!version_prefix|version\\s*=)[\\s\\S])*?)version\\s*=\\s*\"v?(?<currentValue>[^\"@\\s]+)\""
-      ],
-      "datasourceTemplate": "github-releases"
-    },
-    {
-      "customType": "regex",
-      "description": "Update tools in mise.toml with version_prefix",
-      "fileMatch": ["^mise\\.toml$"],
-      "matchStrings": [
-        "\\[tools\\.\"github:(?<lookupName>[^/]+/[^\"@/\\s]+)\"\\](?:(?:(?!version\\s*=)[\\s\\S])*?)version_prefix\\s*=\\s*\"(?<versionPrefix>.*?)\"(?:(?:(?!version\\s*=)[\\s\\S])*?)version\\s*=\\s*\"(?<currentValue>.*?)\""
+        "\"github:(?<packageName>[^/]+/[^\"@/\\s]+)\"\\s*=\\s*\"v?(?<currentValue>[^\"@\\s]+)\"",
+        "\\[tools\\.\"github:(?<packageName>[^/]+/[^\"@/\\s]+)\"\\][^[]*?(?:version_prefix\\s*=\\s*\"(?<versionPrefix>[^\"\\s]+)\"[^[]*?)?version\\s*=\\s*\"v?(?<currentValue>[^\"@\\s]+)\""
       ],
+      "depNameTemplate": "github:{{packageName}}",
       "datasourceTemplate": "github-releases",
-      "extractVersionTemplate": "^{{versionPrefix}}(?<version>.*)$"
+      "extractVersionTemplate": "^(?:{{versionPrefix}})?(?<version>.*)$"
     }
   ],
   "pinDigests": true,

.github/workflows/release.yaml

@@ -164,7 +164,7 @@ jobs:
         shell: "bash"
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-        run: "gh release download $GITHUB_REF_NAME --pattern package.tar.gz"
+        run: "gh release download \"$GITHUB_REF_NAME\" --pattern package.tar.gz"
       - name: "Publish to npmjs.org"
         shell: "bash"
         run: "npm publish package.tar.gz --access public --provenance"
@@ -189,6 +189,6 @@ jobs:
       - name: "Verify release installation"
         shell: "bash"
         run: |
-          cd $(mktemp -d)
+          cd "$(mktemp -d)"
           npm init -y
-          npm install node-reqwest@${GITHUB_REF_NAME#v}
+          npm install "node-reqwest@${GITHUB_REF_NAME#v}"

.vscode/extensions.json

@@ -1,8 +1,10 @@
 {
   "recommendations": [
     "hverlin.mise-vscode",
+    "editorconfig.editorconfig",
     "natqe.reload",
     "streetsidesoftware.code-spell-checker",
+    "davidanson.vscode-markdownlint",
     "gruntfuggly.todo-tree",
     "fill-labs.dependi",
     "christian-kohler.npm-intellisense",
@@ -19,6 +21,8 @@
     "ms-python.python",
     "redhat.vscode-yaml",
     "timonwong.shellcheck",
+    "foxundermoon.shell-format",
+    "arahata.linter-actionlint",
     "ms-azuretools.vscode-containers",
     "docker.docker",
     "ms-vscode-remote.remote-containers"

.vscode/settings.json

@@ -19,7 +19,12 @@
     "editor.defaultFormatter": "redhat.vscode-yaml"
   },
   "[shellscript]": {
-    "editor.defaultFormatter": "timonwong.shellcheck"
+    "editor.defaultFormatter": "foxundermoon.shell-format"
+  },
+  "[markdown]": {
+    "editor.codeActionsOnSave": {
+      "source.fixAll.markdownlint": "explicit"
+    }
   },
   "[python]": {
     "editor.defaultFormatter": "charliermarsh.ruff",

mise.toml

@@ -46,6 +46,8 @@ yq = "4.50.1"
 "github:aquasecurity/trivy" = "0.68.2"
 "github:google/yamlfmt" = "0.21.0"
 "github:koalaman/shellcheck" = "0.11.0"
+"github:zricethezav/gitleaks" = "8.27.2"
+"github:rhysd/actionlint" = "1.7.7"
 "github:astral-sh/uv" = "0.9.26"
 "github:cargo-bins/cargo-binstall" = "1.16.6"
 
@@ -75,6 +77,10 @@ os = ["linux", "macos"]
 version = "0.6.23"
 os = ["linux", "macos"]
 
+[tools.shfmt]
+version = "3.11.0"
+os = ["linux", "macos"]
+
 # Unpacked binaries require bin to work
 [tools."github:biomejs/biome"]
 version_prefix = "@biomejs/biome@"
@@ -321,6 +327,32 @@ description = "Check shell scripts (no auto-fix available)"
 hide = true
 run = [{ task = "check:shellcheck" }]
 
+# --- shfmt (shell formatting) ---
+[tasks."check:shfmt"]
+description = "Check shell script formatting"
+hide = true
+run = "shfmt -i 4 -d docker-entrypoint.sh"
+run_windows = "exit 0"
+sources = ["docker-entrypoint.sh"]
+
+[tasks."fix:shfmt"]
+description = "Format shell scripts with shfmt"
+hide = true
+run = "shfmt -i 4 -w docker-entrypoint.sh"
+run_windows = "exit 0"
+sources = ["docker-entrypoint.sh"]
+
+# --- gitleaks (secret detection) ---
+[tasks."check:gitleaks"]
+description = "Scan for secrets with gitleaks"
+hide = true
+run = "gitleaks detect --no-banner"
+
+[tasks."fix:gitleaks"]
+description = "Scan for secrets (no auto-fix available)"
+hide = true
+run = [{ task = "check:gitleaks" }]
+
 # --- hadolint (Dockerfile) ---
 [tasks."check:hadolint"]
 description = "Check Dockerfile with hadolint"
@@ -348,6 +380,18 @@ description = "Check GitHub Actions (no auto-fix available)"
 hide = true
 run = [{ task = "check:zizmor" }]
 
+# --- actionlint (GitHub Actions syntax) ---
+[tasks."check:actionlint"]
+description = "Lint GitHub Actions workflows"
+hide = true
+run = "actionlint"
+sources = [".github/**/*.{yaml,yml}"]
+
+[tasks."fix:actionlint"]
+description = "Lint GitHub Actions (no auto-fix available)"
+hide = true
+run = [{ task = "check:actionlint" }]
+
 # --- semgrep ---
 [tasks."check:semgrep"]
 description = "Security scan with semgrep"
@@ -393,6 +437,19 @@ description = "Audit pnpm dependencies (no auto-fix available)"
 hide = true
 run = [{ task = "check:pnpm-audit" }]
 
+# --- renovate ---
+[tasks."check:renovate"]
+description = "Validate Renovate configuration"
+hide = true
+env = { LOG_LEVEL = "warn" }
+run = "pnpm exec renovate-config-validator --strict .github/renovate.json"
+sources = [".github/renovate.json"]
+
+[tasks."fix:renovate"]
+description = "Validate Renovate configuration (no auto-fix available)"
+hide = true
+run = [{ task = "check:renovate" }]
+
 # --- Global check/fix tasks ---
 [tasks.check]
 description = "Verify code quality"
@@ -410,11 +467,15 @@ depends = [
     "check:cargo-deny",
     "check:typos",
     "check:shellcheck",
+    "check:shfmt",
+    "check:gitleaks",
     "check:hadolint",
     "check:zizmor",
+    "check:actionlint",
     "check:semgrep",
     "check:trivy-fs",
     "check:pnpm-audit",
+    "check:renovate",
 ]
 
 [tasks.fix]
@@ -433,11 +494,15 @@ depends = [
     "fix:cargo-deny",
     "fix:typos",
     "fix:shellcheck",
+    "fix:shfmt",
+    "fix:gitleaks",
     "fix:hadolint",
     "fix:zizmor",
+    "fix:actionlint",
     "fix:semgrep",
     "fix:trivy-fs",
     "fix:pnpm-audit",
+    "fix:renovate",
 ]
 
 # ============================================================================

package.json

@@ -4,18 +4,19 @@
   "type": "module",
   "packageManager": "pnpm@10.28.0+sha512.05df71d1421f21399e053fde567cea34d446fa02c76571441bfc1c7956e98e363088982d940465fd34480d4d90a0668bc12362f8aa88000a64e83d0b0e47be48",
   "engines": {
-    "node": ">=22.19.1",
-    "pnpm": ">=10.0.0"
+    "node": "^22.13.0 || ^24.11.0",
+    "pnpm": "^10.0.0"
   },
   "devDependencies": {
     "@google/gemini-cli": "catalog:",
     "@playwright/test": "catalog:",
     "@taplo/cli": "catalog:",
     "@types/node": "catalog:",
-    "husky": "catalog:",
+    "fd-lock": "catalog:",
     "hono": "catalog:",
+    "husky": "catalog:",
     "markdownlint-cli2": "catalog:",
-    "fd-lock": "catalog:",
+    "renovate": "catalog:",
     "vitest": "catalog:"
   },
   "scripts": {
@@ -34,10 +35,14 @@
       "undici": "7.18.2"
     },
     "onlyBuiltDependencies": [
+      "better-sqlite3",
+      "core-js-pure",
+      "dtrace-provider",
       "electron",
       "esbuild",
       "node-pty",
       "protobufjs",
+      "re2",
       "tree-sitter-bash"
     ]
   }