9.6 KiB
Platform — Systematic Audit (cross-workspace)
Date: 2026-05-04
Tooling-backed audit (with GITEA_NPM_TOKEN available): full pnpm install,
typecheck, test, and lint run successfully across all 69 workspace packages
(packages/, services/, dashboards/).
Legend: 🔴 critical · 🟠 high · 🟡 medium · 🟢 low · ⬜ open · 🟦 in PR · ✅ fixed (commit hash on the right).
0. Health snapshot
| Check | Result | Notes |
|---|---|---|
pnpm install -r |
✅ pass | No warnings when GITEA_NPM_TOKEN is exported after sourcing ~/.zshrc. |
pnpm typecheck |
✅ pass | All TS sources compile (tsc --noEmit). |
pnpm test |
✅ pass | ~2,200 tests across 18+ test suites; one cowork-service EPIPE flake cleared on focused rerun. |
pnpm lint |
✅ pass | Workspace lint exits 0 with 0 errors / 155 warnings after 5b0fbc2. See section W. |
A. Lint pipeline blockers (fixed by this audit)
| # | Issue | Severity | Status | Fix |
|---|---|---|---|---|
| A1 | packages/design-tokens/scripts/validate-tokens.cjs — 45 no-undef errors for process / console. Root eslint config didn't declare a Node-script env, and inline /* eslint-env node */ is ignored by flat-config. |
🟠 | ✅ | this commit |
| A2 | packages/design-tokens/scripts/token-coverage.cjs — same root cause: 1 unused e in catch. |
🟢 | ✅ | this commit |
| A3 | packages/ui/eslint.config.js was a complete override (flat config doesn't merge with the root). It declared no parser, so 38 parsing errors fired on interface, import {…}, and other TS syntax in src/index.ts and src/components/*. |
🟠 | ✅ | this commit |
| A4 | packages/ui lint also re-included dist/**/*.d.ts because the root's ignores: ['dist/**'] isn't inherited by the package-local override. |
🟡 | ✅ | this commit |
| A5 | packages/ui/.storybook/preview.ts not covered by any TS-parser block. |
🟡 | ✅ | this commit |
| A6 | packages/feedback-client/src/index.ts — 2 no-undef for browser globals XMLHttpRequest / ProgressEvent (not in root globals list). |
🟢 | ✅ | this commit |
| A7 | packages/feedback-client/src/index.ts — preserve-caught-error violation in captureScreen() (re-throwing without cause). |
🟡 | ✅ | this commit |
| A8 | packages/feedback-client/src/index.ts — captureElement() declares unused params mimeType, quality. Renamed with _ prefix and documented why. |
🟢 | ✅ | this commit |
| A9 | packages/logger/src/__tests__/logger.test.ts — unused type import LoggerConfig. |
🟢 | ✅ | this commit |
| A10 | services/extraction-service/src/lib/circuit-breaker.test.ts — unused vitest import afterEach. |
🟢 | ✅ | this commit |
| A11 | services/extraction-service/src/modules/extract/sidecar-monitor.test.ts — unused type import HealthCheck. |
🟢 | ✅ | this commit |
| A12 | services/extraction-service/src/modules/extract/usage.test.ts — unused vitest import beforeEach. |
🟢 | ✅ | this commit |
| A13 | dashboards/tracker-web/src/__tests__/tracker-proxy.test.ts — unused local url (renamed to _url). |
🟢 | ✅ | this commit |
These all matter because pnpm -r exec eslint bails on the first package
failure, so the 45-error design-tokens issue was hiding everything below it.
Now the pipeline runs to completion and the current workspace has 0 lint
errors.
P. Pre-existing lint debt cleared
Current workspace-wide lint reports no errors:
0 errors
The stale handoff note expected 85 pre-existing errors, but a live rerun on 2026-05-04 found none. No P-sweep package commits were needed in this session.
W. Pre-existing lint warnings
Remaining lint output is warnings only. The largest groups are still
no-console in CLI tools, code generators, and diagnostic/runtime review areas
(create-app, sidecar-monitor, platform gen-module,
migrate-referrals, push notifications, and diagnostics modules). These are
case-by-case judgment calls and not blocking.
Follow-up package sweeps on 2026-05-04:
db4257fcleared admin feedback page React warnings.021f053typed predictive campaign event dispatch.04d2398cleared tracker-web roadmap console warnings and removed the stale CommonJS ESLint config in favor of the existingeslint.config.mjs.5fb4921documented the two intentional@bytelyst/broadcast-clientdeep-link diagnostics with narrow lint justifications.1089597cleared the remaining admin-web React hook/image/unused-symbol warnings.5b0fbc2documented intentional@bytelyst/configKey Vault startup diagnostics with narrow lint justifications.
Post-config sweep verification reran config build/test/lint and workspace lint; all pass. Workspace lint remains at 0 errors with 155 warnings.
R. Repo-state observations (not fixed)
| # | Observation | Severity | Status |
|---|---|---|---|
| R1 | Working tree had 3 uncommitted edits when the audit started: docker-compose.ecosystem.yml, products/nomgap/product.json, and services/platform-service/src/modules/flags/seed.ts. These were finalized separately in b440330 (chore(nomgap): finalize product deployment config). Current working tree is clean after 5b0fbc2. |
— | ✅ |
| R2 | Local main was 17 commits behind origin/main at the start of the session. Backup branch backup/main-20260504-062733 was taken from origin/main (the source of truth) — local stale main was not backed up. |
🟢 | ✅ (backup exists) |
| R3 | .npmrc references ${GITEA_NPM_TOKEN}. On this machine ~/.zshrc defines the token but does not export it, so use source ~/.zshrc && export GITEA_NPM_TOKEN before pnpm; this silences the WARN. |
🟢 | ✅ documented |
| R4 | Earlier pnpm install -r reported peer warnings for @azure/core-client@^1.10.0. A live rerun with the token exported reported no peer warnings. |
🟢 | ✅ verified |
Ordering of fixes
- Section A (this commit) — structural unblocks so
pnpm lintruns end-to-end again. - Section P — no current lint errors; no package sweeps needed.
- Section W — case-by-case warning review (defer; warnings only).
- Section R — housekeeping verified/documented.