Follow up to commit 042750c which only converted workflow-level
invocations. With Node.js 22 as the floor, the chained scripts inside
each package.json can also use `node --run` directly, dropping the
intermediate npm process when these scripts run.
- root `prepare`
- browser `build-all`, `lint`
- website/client `lint`
- website/server `lint`
intent(test-ownership): move tests into website/server/tests/ so they collocate with the code under test and stop reaching up through three parents; reviewer follow-up wanted dedicated coverage and the root vs. website/server package boundary makes collocation the right long-term layout
decision(vitest-config): give website/server its own vitest.config.ts + `test` script; root's existing tests/**/*.test.ts include no longer catches server tests since they moved outside that tree, so the two test runs stay independent
decision(tsconfig-test): add tsconfig.test.json extending the build config and lift lint-tsc to `-p tsconfig.test.json` — the build tsconfig's rootDir: "./src" excludes tests/, so a single lint command wouldn't have type-checked them
learned(valibot-instanceof): with tests now resolving valibot from the same website/server/node_modules as validateRequest, the cause-check can go back to `instanceof v.ValiError` — the duck-type workaround was only needed when the root harness and server pulled different valibot copies
constraint(ci-website): added a `test-website-server` job that links the local repomix build the same way lint-website-server does; tests don't actually import repomix today, but colocation means they easily could later and the link step keeps parity
intent(server): complete the project-wide zod → valibot swap started by the CLI config schema in #1489
constraint(pack-event-schema): valibot issue paths are `{ key }` objects, not primitives, so classifyRejectReason's `path === 'format'` fallback had to extract `segment.key` before joining
decision(validation-helper): handle ValiError via `instanceof` rather than the duck-typing used in src/shared/errorHandle.ts — website/server owns its own error chain with no worker-boundary crossings, so the cross-library duck check is unnecessary noise here
learned(server): website/server has no test suite (lint is `tsgo --noEmit` only), so behavior parity was verified manually via a one-off tsx smoke script hitting each reject-reason bucket; MCP tool schemas stay on zod because @modelcontextprotocol/sdk's `AnySchema` is `z3.ZodTypeAny | z4.\$ZodType` with no standard-schema support yet
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Applebot and other JS-capable crawlers were visiting permalink URLs
(repomix.com/?repo=xxx), executing the frontend JS which auto-triggers
POST /api/pack on mount. This caused massive parallel git clone
operations that exceeded the 1024 MiB memory limit on Cloud Run,
resulting in OOM crash loops.
- Add server-side botGuardMiddleware using `isbot` package to reject
bot requests to /api/* with 403 before they consume resources
- Add frontend bot detection to skip auto-pack execution in onMounted
when the user agent is a known crawler
- Place bot guard before rate limiter to avoid counting bot requests
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add a daily pack limit of 10 requests per IP address using Upstash Redis
to persist rate limiting state across Cloud Run instance restarts and scaling.
- Add @upstash/ratelimit and @upstash/redis dependencies
- Add dailyRateLimit utility with fixedWindow(10, '1 d') algorithm
- Update rate limit middleware to check in-memory short-term limit first
(saves Upstash commands for burst traffic), then Upstash daily limit
- Fail open on Upstash errors to avoid blocking requests
- Configure Cloud Run to read Upstash credentials from Secret Manager
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace @google-cloud/logging-winston with Console transport and Cloud Logging
severity mapping. Cloud Run automatically sends stdout to Cloud Logging, so
a dedicated transport is unnecessary.
Changes:
- Remove @google-cloud/logging-winston dependency
- Add severity mapping for Cloud Logging compatibility
- Add trace context extraction for distributed tracing
- Implement code splitting for server and worker bundles
- Add worker-entry.ts for minimal worker bundle
- Simplify Dockerfile to only copy tinypool and tiktoken
Move esbuild bundling and WASM collection from Dockerfile to package.json
for easier local testing and maintenance.
Added scripts:
- bundle: Full bundle (build + esbuild + wasm)
- bundle:esbuild: Run esbuild bundling
- bundle:wasm: Copy tree-sitter WASM files
- start:bundle: Run bundled server locally
Change repomix dependency from npm registry to GitHub main branch.
This allows the website server to use the latest development version
with prepare script support for automatic builds.
The version is locked in package-lock.json and can be updated
explicitly with `npm update repomix` when needed.
Updates validation.ts to use Zod v4 API:
- Changed error.errors to error.issues
- Renamed parameter from err to issue for clarity
This resolves build errors after upgrading to Zod v4.
- Update @typescript/native-preview from 7.0.0-dev.20250708.1 to 7.0.0-dev.20250824.1
- Update package-lock.json files for all subprojects to reflect the latest version
- Ensures compatibility with latest TypeScript native performance improvements
This keeps all packages in sync with the latest tsgo release for consistent type checking performance.
- Update browser/package.json to use tsgo instead of tsc for lint-tsc script
- Update website/client/package.json to use tsgo instead of tsc for lint-tsc script
- Update website/server/package.json to use tsgo instead of tsc for lint-tsc script
- Add @typescript/native-preview dependency to all subprojects for tsgo compatibility
This aligns with the main package.json which already uses tsgo for faster TypeScript type checking.
- Update @google-cloud/logging-winston from 6.0.0 to 6.0.1
- Update @hono/node-server from 1.13.8 to 1.16.0
- Update hono from 4.6.20 to 4.8.5
- Update repomix from 0.3.7 to 1.2.0
- Update @types/node from 22.13.0 to 24.0.14
- Update tsx from 4.19.2 to 4.20.3
- Update typescript from 5.7.3 to 5.8.3
These updates include the latest version of repomix and other minor version bumps.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Replace adm-zip library with fflate in website server for better performance and smaller bundle size:
- Replace import statements in processZipFile.ts and fileUtils.ts
- Update ZIP extraction logic to use fflate's unzip API with promise wrapper
- Maintain all existing security checks (path traversal, file limits, compression ratio)
- Remove adm-zip and @types/adm-zip dependencies from package.json
- Add fflate dependency with same functionality but better performance
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add "name": "repomix-website-server" to server/package.json
- Add "name": "repomix-website-client" to client/package.json
- Prevents npm from using /app directory name in package-lock.json during Docker builds
- Ensures consistent package names across development environments
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Replace pako.deflate/inflate with zlib.deflateSync/inflateSync in cache.ts
- Remove pako and @types/pako dependencies from package.json
- Utilize Node.js built-in zlib module for better performance and reduced dependencies
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
dependabot[bot]
Kazuki Yamada
renovate[bot]
Alexander Lichter