fix(marketplace): guard fetch-source against missing sourceUrl/sha

[gai095481]

Summary

The marketplace-fetch-source script crashes with TypeError: undefined is not an object (evaluating 'sourceUrl.match') when sourceUrl is undefined in entry.json. This happens on PRs that don't add a marketplace entry (no sourceUrl field), causing the marketplace-auto-review CI check to fail on every such PR.

Problem

• fetch-source destructures { sourceUrl, sha } from entry.json without null checks
• When a PR doesn't modify marketplace.ts, the sourceUrl field is undefined
• Calling .match() on undefined throws TypeError, killing the entire workflow
• This caused CI failures on PRs fix(core): respect worktree.enabled: false in dispatchBackgroundWorkflow #1685 and fix(marketplace-auto-review): feed actual workflow source to AI reviewer #1689 (and any PR not touching marketplace entries)

What Changed

• Made sourceUrl and sha optional in the MarketplaceEntry interface
• Added an early-return guard: when either field is missing, log a clear warning and output an empty { files, errors } result, then exit 0
• Downstream nodes (AI review) can now proceed without source files instead of the entire workflow crashing

Validation

• The fix is a null guard with exit(0) — no behavioral change when sourceUrl and sha are present (the happy path for marketplace entries)
• When fields are missing, the workflow continues with an empty source list instead of crashing

Security Impact

None. This is a defensive null check that prevents a crash; no new data flows or permissions are introduced.

Compatibility

Fully backward compatible. Existing marketplace entries with valid sourceUrl/sha are unaffected.

Rollback Plan

Revert this commit to restore the previous behavior (crash on missing fields).

Blast Radius

Single script: .archon/scripts/marketplace-fetch-source.ts. Only affects the fetch-source node in marketplace-pr-review-and-merge.yaml. No other workflows or scripts are impacted.

Risks & Mitigations

• Risk: Downstream AI review runs without source files when fields are missing.
• Mitigation: The bundle-source node (from PR fix(marketplace-auto-review): feed actual workflow source to AI reviewer #1689) already handles surfacing available source content to the AI reviewer. When source files are empty, the reviewer works with what it has — this is preferable to the entire CI check crashing.

Summary by CodeRabbit

• Bug Fixes
  • Gracefully handle missing required source fields by reporting which are absent, recording the error, returning an empty file list, and allowing downstream steps to continue.
• Tests
  • Added tests covering behavior when required fields are missing and when the entry metadata is absent to ensure correct exit codes and error reporting.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a48d3781-cf7c-422f-8e8d-18cb8ff7b69c

📥 Commits

Reviewing files that changed from the base of the PR and between a9a6b97 and 6cf9075.

📒 Files selected for processing (2)

• .archon/scripts/__tests__/marketplace-fetch-source.test.ts
• .archon/scripts/marketplace-fetch-source.ts

---

📝 Walkthrough

Walkthrough

The marketplace source-fetch script makes sourceUrl and sha optional. An early guard logs which of those fields are missing, appends the message to errors, outputs {"files":[],"errors":[...]} to stdout, and exits with status 0. Tests cover the guard and the missing entry.json failure case.

Changes

Optional source-fetch fields and validation

Layer / File(s)	Summary
Optional source fields and missing-data guard .archon/scripts/marketplace-fetch-source.ts	MarketplaceEntry makes sourceUrl and sha optional. Adds an early guard that detects absent fields, writes a missing-field message to stderr, appends it to errors, prints empty files with the errors JSON to stdout, and exits with status 0.
Bun test suite for guard and missing entry.json .archon/scripts/__tests__/marketplace-fetch-source.test.ts	Adds runFetch helper and tests verifying the guard returns exit code 0 with empty files when sourceUrl and/or sha are missing (and that stderr contains the missing-field message), ensures the guard does not run when both fields are present, and checks the script exits 1 when entry.json is absent.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• github-actions

Poem

A rabbit finds a missing clue—no fuss,
It notes the gaps and tucks them into us.
Errors listed, files set to nil,
The pipeline hops on, steady and still. 🐇

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding a guard to handle missing sourceUrl/sha fields in the marketplace-fetch-source script.
Description check	✅ Passed	The description covers the key aspects: problem statement, what changed, validation approach, security impact, compatibility, and rollback plan. All critical sections from the template are adequately addressed.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Wirasm]

Review Summary

Verdict: minor-fixes-needed

This PR adds a guard to marketplace-fetch-source.ts that exits gracefully with an empty result when entry.json is missing sourceUrl or sha — fixing a crash that occurs when PRs bypass the parse-entry step. The error handling is clean and consistent with existing patterns. The main gap: the new guard path has no test coverage.

Blocking issues

(none — no CRITICAL findings)

Suggested fixes

• .archon/scripts/__tests__/marketplace-fetch-source.test.ts (missing): Add test coverage for the new guard block (lines 37-51). Test:
  1. entry.json missing sourceUrl only → expects stderr mention of "sourceUrl", files: [], exitCode(0)
  2. entry.json missing sha only → expects stderr mention of "sha", exitCode(0)
  3. entry.json missing both → expects both field names in stderr
  4. entry.json complete → continues to fetch logic unchanged

Minor / nice-to-have

• The inline comment at lines 37-48 is accurate and well-written. A small future polish: trim to two lines to reduce rot risk from the "e.g., PR doesn't add a marketplace entry" phrasing.
• The optional sourceUrl/sha fields in MarketplaceEntry are handled correctly by the guard. Be aware: if parse-entry ever starts writing partial entries intentionally, this interface change will silently accept them without breaking — which may or may not be desired behavior.

Compliments

• The guard mirrors the established pattern in ghApi() (stderr + errors array + return empty / exit 0), so no new error-handling style is introduced.
• The inline comment does a good job of capturing WHY the guard exists, not just WHAT it checks.

---

Reviewed via maintainer-review-pr workflow (Pi/Minimax). Aspects run: code-review, error-handling, test-coverage, comment-quality.