PR #1034 (chore(config): hygiene rollout) deferred two items as out-of-scope for the hygiene PR. Capturing here so they don't get lost.
1. Retire scripts/validate-conventional-commits.js
Background: PR #1034 originally had two parallel commit-message validators:
- The lefthook
commit-msg hook + wagoid/commitlint-github-action in CI, both consuming commitlint.config.mjs
scripts/validate-conventional-commits.js, a hand-rolled regex validator with a permissive scope grammar and 50-char subject limit — invoked from .github/workflows/on-pull-request.yml for PR-title validation and from scripts/release-helper.js:194
PR #1034's round 4 fix replaced the workflow's invocation with pnpm exec commitlint, so the two gates now share one source of truth. But scripts/release-helper.js still calls the standalone validator. This means:
- A commit message that passes
scripts/release-helper.js's preflight can still fail commitlint.config.mjs (different rules: permissive scope, 50-char subject).
- The standalone validator's grammar is documented separately from
commitlint.config.mjs — easy to drift further.
Acceptance criteria:
Out of scope here: any broader refactor of scripts/release-helper.js beyond the validator swap.
2. Fix pre-existing TypeScript error packages/comfyui/src/client.ts:269
Background: PR #1034's Validate Changes / Run Tests CI check failed on commit 1ed2ff4b:
src/client.ts:269:32 - error TS2339: Property 'exception_message' does not exist on type '{}'.
269 error: message.data?.exception_message,
~~~~~~~~~~~~~~~~~
The file is in packages/comfyui and is not touched by PR #1034. The error is pre-existing in main — verified via git diff origin/main..HEAD -- "**/client.ts" returning empty. Main's CI was already red on this before #1034 opened.
What the code does: message.data?.exception_message is reading from a WebSocket message payload. message.data is typed {} (empty object), so TypeScript can't see any properties on it. The runtime data has the field; the type is just stale.
Acceptance criteria:
Out of scope here: the broader 17 dependabot vulnerabilities flagged on git push (2 critical, 10 high, 5 moderate) — those deserve their own triage.
3. (Optional, low-priority) Tighten validate-commits job permissions
Background: The validate-commits job in .github/workflows/on-pull-request.yml inherits workflow-level permissions which include pull-requests: write and packages: read. The commit-validation step only needs contents: read. Per the audit that informed PR #1034, this could be tightened with per-job permissions: blocks.
Acceptance criteria:
Why deferred: tightening permissions deserves a careful per-job audit, not a one-line drive-by. PR #1034's scope was already exceeded.
Cross-ref: PR #1034 (sdk-hygiene), round 5 + round 4 commit messages.
PR #1034 (
chore(config): hygiene rollout) deferred two items as out-of-scope for the hygiene PR. Capturing here so they don't get lost.1. Retire
scripts/validate-conventional-commits.jsBackground: PR #1034 originally had two parallel commit-message validators:
commit-msghook +wagoid/commitlint-github-actionin CI, both consumingcommitlint.config.mjsscripts/validate-conventional-commits.js, a hand-rolled regex validator with a permissive scope grammar and 50-char subject limit — invoked from.github/workflows/on-pull-request.ymlfor PR-title validation and fromscripts/release-helper.js:194PR #1034's round 4 fix replaced the workflow's invocation with
pnpm exec commitlint, so the two gates now share one source of truth. Butscripts/release-helper.jsstill calls the standalone validator. This means:scripts/release-helper.js's preflight can still failcommitlint.config.mjs(different rules: permissive scope, 50-char subject).commitlint.config.mjs— easy to drift further.Acceptance criteria:
scripts/release-helper.jsvalidates commit messages via commitlint (usingcommitlint.config.mjs) instead of the hand-rolled regex.scripts/validate-conventional-commits.jsdeleted (no remaining consumers).scripts/release-helper.jstests still pass; CI green.commitlint.config.mjsdocblock updated to drop the "still calls scripts/validate-conventional-commits.js" caveat (currently lines 12-17).Out of scope here: any broader refactor of
scripts/release-helper.jsbeyond the validator swap.2. Fix pre-existing TypeScript error
packages/comfyui/src/client.ts:269Background: PR #1034's
Validate Changes / Run TestsCI check failed on commit1ed2ff4b:The file is in
packages/comfyuiand is not touched by PR #1034. The error is pre-existing in main — verified viagit diff origin/main..HEAD -- "**/client.ts"returning empty. Main's CI was already red on this before #1034 opened.What the code does:
message.data?.exception_messageis reading from a WebSocket message payload.message.datais typed{}(empty object), so TypeScript can't see any properties on it. The runtime data has the field; the type is just stale.Acceptance criteria:
pnpm typecheckpasses inpackages/comfyui(and in the full workspace).message.datais given a proper type (interface for the WebSocket payload shape) rather than{}— or, if intentionalany-style usage, cast explicitly + comment why.message.data?.<field>are checked for the same pattern and fixed in one pass.Out of scope here: the broader 17 dependabot vulnerabilities flagged on
git push(2 critical, 10 high, 5 moderate) — those deserve their own triage.3. (Optional, low-priority) Tighten
validate-commitsjob permissionsBackground: The
validate-commitsjob in.github/workflows/on-pull-request.ymlinherits workflow-level permissions which includepull-requests: writeandpackages: read. The commit-validation step only needscontents: read. Per the audit that informed PR #1034, this could be tightened with per-jobpermissions:blocks.Acceptance criteria:
validate-commitsjob has its ownpermissions: { contents: read }block.Why deferred: tightening permissions deserves a careful per-job audit, not a one-line drive-by. PR #1034's scope was already exceeded.
Cross-ref: PR #1034 (sdk-hygiene), round 5 + round 4 commit messages.