fix: enforce lockfile integrity, strict typecheck, and dedupe typescript-eslint

[Copilot]

CI was silently passing with lockfile drift and type errors. Duplicate typescript-eslint package alongside individual @typescript-eslint/* packages risked resolver conflicts.

CI Hardening

• pnpm install --frozen-lockfile enforced (was --frozen-lockfile=false)
• Typecheck failures now fail the build (removed || true bypass)
• Pinned to exact pnpm 9.15.9 (matches packageManager field)

Dependency Cleanup

• Removed duplicate typescript-eslint meta-package
• Updated eslint.config.js to use individual @typescript-eslint/parser and @typescript-eslint/eslint-plugin
• Added globals for Node.js environment definitions

Before:

import tseslint from "typescript-eslint";
export default tseslint.config(/* ... */);

After:

import tsPlugin from "@typescript-eslint/eslint-plugin";
import tsParser from "@typescript-eslint/parser";
import globals from "globals";

export default [
  {
    plugins: { "@typescript-eslint": tsPlugin },
    languageOptions: { 
      parser: tsParser,
      globals: { ...globals.node }
    }
  }
];

Environment Template

.env.example now includes Notion and AI integration placeholders for contributor onboarding.

Original prompt

Find a solution tk this agents issue PR #1 content prepared. Branch target: copilot/infra-fixes. File writes are currently blocked by the GitHub connector (400 Bad Request on create/update). I will proceed with the full audit and exact, ready-to-apply changes below; once the connector allows writes, I’ll push them as the atomic commits listed.

ROLE
Implement infra fixes that unblock CI and standardize local setup.

OBJ
Lockfile enforcement, env template, dependency hygiene, CI typecheck correctness.

PROC

1. .env.example — new file

# Server
PORT=3000
HMAC_SECRET=change-me

# Notion (placeholders)
NOTION_TOKEN=
NOTION_DATABASE_ID=

# AI integrations (placeholders)
OPENAI_API_KEY=
ANTHROPIC_API_KEY=
VERTEX_AI_PROJECT_ID=
VERTEX_AI_LOCATION=

2. package.json — surgical edits

• Move tsx from dependencies to devDependencies (preserve existing version).
• Remove stray typescript-eslint package if present; keep @typescript-eslint/{parser,eslint-plugin} intact.

Patch intent:

--- a/package.json
+++ b/package.json
@@
   "dependencies": {
-    "tsx": "<preserve-version>",
     ...
   },
   "devDependencies": {
+    "tsx": "<preserve-version>",
     "@typescript-eslint/eslint-plugin": "^8.46.2",
     "@typescript-eslint/parser": "^8.46.2",
-    "typescript-eslint": "^8.46.2"
   }

Robust one-liners (uses jq) if you prefer a scripted edit:

# 1) move tsx -> devDependencies (preserve version)
tsx_ver=$(jq -r '.dependencies.tsx // empty' package.json)
if [ -n "$tsx_ver" ]; then
  jq --arg v "$tsx_ver" '
    .dependencies |= (del(.tsx)) |
    .devDependencies.tsx = $v
  ' package.json > package.json.tmp && mv package.json.tmp package.json
fi

# 2) drop duplicate "typescript-eslint" package if present
jq '
  .devDependencies |= (del(."typescript-eslint"))
' package.json > package.json.tmp && mv package.json.tmp package.json

3. .github/workflows/ci.yml — strict install and strict typecheck

- pnpm install --frozen-lockfile=false
+ pnpm install --frozen-lockfile
@@
- pnpm typecheck || true
+ pnpm typecheck

Safe text edits:

sed -i.bak 's/--frozen-lockfile=false/--frozen-lockfile/g' .github/workflows/ci.yml
sed -i.bak 's/pnpm typecheck || true/pnpm typecheck/g' .github/workflows/ci.yml

4. Lockfile generation (pnpm 9, Node 20)

corepack enable
corepack prepare pnpm@9 --activate
pnpm -v   # expect 9.x
node -v   # expect v20.x
pnpm install

5. Commits (atomic)

git add .env.example
git commit -m "chore(env): add .env.example with required and placeholder variables"

git add package.json
git commit -m "fix(package): move tsx to devDependencies and dedupe typescript-eslint"

git add .github/workflows/ci.yml
git commit -m "chore(ci): enforce --frozen-lockfile and fail on typecheck errors"

git add pnpm-lock.yaml
git commit -m "chore(lockfile): add pnpm-lock.yaml (pnpm 9, Node 20)"

OUTPUT
PR title

fix: critical build and dependency configuration

PR body

## Problem
- Lockfile integrity not enforced.
- Typecheck could pass despite errors.
- `tsx` misplaced in dependencies.
- Duplicate `typescript-eslint` entry risked resolver conflicts.
- No `.env.example` for onboarding.

## Changes
- ci: use `pnpm install --frozen-lockfile`
- ci: remove `|| true` from typecheck
- package: move `tsx` to devDependencies; remove duplicate `typescript-eslint`
- env: add `.env.example` (PORT, HMAC_SECRET, Notion/AI placeholders)
- lockfile: add `pnpm-lock.yaml` (pnpm 9, Node 20)

## Results
- CI fails on real drift and type errors.
- Clear env bootstrap for contributors.
- Cleaner dependency graph.

## Risks
- Lockfile churn if local pnpm ≠ 9.x.
- Enforced typecheck may reveal existing errors.

## Notes
- No API or Zod schema changes.
- No changes to placeholder logic in `src/routes/analyze.ts`.
- ESM `.js` kept.

## Checklist
- [ ] All checks green
- [ ] Lockfile generated with pnpm 9 and Node 20
- [ ] Dependency diff reviewed

CONST

• Keep ESM, Fastify 4, TS 5.6+, Node 20, pnpm 9.
• No API contract or Zod schema changes.
• Do not merge; human review required.

UNCERTY

• I cannot fetch current repo files via the browsing tool due to cache errors, and the GitHub write actions currently return 400 Bad Request on file updates. The branch copilot/infra-fixes was created earlier; if it is missing, create it from main and apply the commits listed.

VALID

• After commits land, I will open the PR using copilot/infra-fixes → main and proceed to PR Implement secure webhook service with Notion integration, rate limiting, and comprehensive tests #2 once you review.

Next action from you: allow the connector to write or run the commands above on copilot/infra-fixes.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[stevenschling13]

@copilot Submit