Merge branch 'main' into feat/decorator-target-type-2183

Author: rocketstack-matt

.github/CODEOWNERS

@@ -4,6 +4,8 @@
 
 /calm-hub/ @jpgough-ms @rocketstack-matt @grahampacker-ms @Thels  @markscott-ms
 
+/calm-server/ @rocketstack-matt @markscott-ms
+
 /cli/ @aidanm3341 @lbulanti-ms @willosborne @grahampacker-ms @jpgough-ms @rocketstack-matt @Thels @LeighFinegold @markscott-ms
 
 /shared/ @aidanm3341 @lbulanti-ms @willosborne @grahampacker-ms @jpgough-ms @rocketstack-matt @Thels @LeighFinegold @markscott-ms

.github/pull_request_template.md

@@ -16,11 +16,14 @@
 ## Affected Components
 <!-- Check all that apply -->
 - [ ] CLI (`cli/`)
-- [ ] Shared (`shared/`)
-- [ ] CALM Widgets (`calm-widgets/`)
+- [ ] Schema (`calm/`)
+- [ ] CALM AI (`calm-ai/`)
 - [ ] CALM Hub (`calm-hub/`)
 - [ ] CALM Hub UI (`calm-hub-ui/`)
+- [ ] CALM Server (`calm-server/`)
+- [ ] CALM Widgets (`calm-widgets/`)
 - [ ] Documentation (`docs/`)
+- [ ] Shared (`shared/`)
 - [ ] VS Code Extension (`calm-plugins/vscode/`)
 - [ ] Dependencies
 - [ ] CI/CD

.github/workflows/automated-release-calm-server.yml

@@ -183,7 +183,17 @@ jobs:
               NEXT_VERSION=$(grep "The next release version is" analysis.txt | sed 's/.*The next release version is \([^[:space:]]\+\).*/\1/')
               
               # Get current version from latest git tag instead of package.json
-              CURRENT_VERSION=$(git describe --tags --abbrev=0 2>/dev/null | sed 's/cli-v//')
+              CURRENT_VERSION=$(git describe --tags --abbrev=0 --match 'cli-v*' 2>/dev/null | sed 's/cli-v//')
+              
+              if [ -z "$CURRENT_VERSION" ]; then
+                echo "⚠️ No cli-v* git tag found; falling back to package.json version."
+                CURRENT_VERSION=$(node -p "require('./package.json').version" 2>/dev/null || echo "")
+              fi
+              
+              if [ -z "$CURRENT_VERSION" ]; then
+                echo "⚠️ package.json version unavailable; defaulting current version to 0.0.0."
+                CURRENT_VERSION="0.0.0"
+              fi
               
               echo "📋 Extracted versions:"
               echo "  Current: $CURRENT_VERSION"
@@ -422,7 +432,7 @@ jobs:
       contains(github.event.pull_request.labels.*.name, 'automated-release')
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2
         with:
           egress-policy: audit
 
@@ -437,6 +447,7 @@ jobs:
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
         with:
           node-version: 22
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
         run: npm ci
@@ -481,6 +492,8 @@ jobs:
             --target main
 
       - name: Publish to NPM
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_SEMANTIC_RELEASE }}
         run: |
           cd cli
           npm publish --provenance

.github/workflows/automated-release.yml

@@ -0,0 +1,40 @@
+name: Build CALM Server
+
+permissions:
+    contents: read
+
+on:
+    pull_request:
+        branches:
+            - 'main'
+            - 'release*'
+    push:
+        branches:
+            - 'main'
+            - 'release*'
+
+jobs:
+    calm-server:
+        name: Build, Test, and Lint CALM Server Module
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: Checkout PR Branch
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+            - name: Setup Node.js
+              uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+              with:
+                  node-version: v22
+
+            - name: Install workspace
+              run: npm ci
+
+            - name: Lint CALM Server Module
+              run: npm run lint --workspace=calm-server
+
+            - name: Build workspace
+              run: npm run build:calm-server
+
+            - name: Run tests with coverage for CALM Server
+              run: npm run test:calm-server

.github/workflows/build-calm-server.yml

@@ -21,7 +21,7 @@ jobs:
         env:
             SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
         container:
-            image: semgrep/semgrep@sha256:d3d1be3a3770514d16a6a57b9761575d7536d70f45a5220274f4ec7d55c442b9
+            image: semgrep/semgrep@sha256:e04d2cb132288d90035db8791d64f610cb255b21e727b94db046243b30c01ae9
         if: (github.actor != 'dependabot[bot]')
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

.github/workflows/semgrep-ci.yml

@@ -0,0 +1,35 @@
+name: Validate Lockfile Platforms
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    branches:
+      - 'main'
+      - 'release*'
+    paths:
+      - 'package-lock.json'
+  push:
+    branches:
+      - 'main'
+      - 'release*'
+    paths:
+      - 'package-lock.json'
+
+jobs:
+  validate-lockfile:
+    name: Validate Lockfile Platforms
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        with:
+          node-version: '22'
+
+      - name: Validate platform bindings in lockfile
+        run: node scripts/validate-lockfile-platforms.js

.github/workflows/validate-lockfile.yml

@@ -2,13 +2,3 @@
 # Blocks unsupported versions (e.g. Node 18, 20, 23) but still allows
 # Node 24+ since engines includes ">=24.10.0" for local development.
 engine-strict=true
-
-# Ensure npm resolves optional native bindings for all CI platforms,
-# not just the current developer machine. Prevents missing-binding
-# errors (e.g. @tailwindcss/oxide) when the lockfile is regenerated
-# on macOS but consumed on Linux runners.
-supportedArchitectures[os][]=current
-supportedArchitectures[os][]=linux
-supportedArchitectures[cpu][]=current
-supportedArchitectures[cpu][]=x64
-supportedArchitectures[cpu][]=arm64

.npmrc

@@ -71,6 +71,18 @@ The `engines` field in `package.json` (`^22.14.0 || >=24.10.0`) also permits Nod
 - **`@types/node`** is overridden to `^22.0.0` in root `package.json` to prevent transitive dependencies from pulling in a different major version
 - **Renovate** is configured with `allowedVersions: "<23.0.0"` for `@types/node`
 
+### Lockfile Regeneration
+
+**CRITICAL**: npm has a known bug ([npm/cli#4828](https://github.com/npm/cli/issues/4828)) where running `npm install` with an existing `node_modules` directory prunes optional platform-specific dependencies (e.g. `@tailwindcss/oxide`, `@swc/core`, `@esbuild`) for platforms other than the current machine. This causes CI failures on Linux runners when the lockfile was regenerated on macOS.
+
+**Correct method** — always delete both `node_modules` and the lockfile:
+
+```bash
+rm -rf node_modules package-lock.json && npm install
+```
+
+**Never** regenerate the lockfile without deleting `node_modules` first. The `validate-lockfile` CI workflow checks that all expected platform variants are present in `package-lock.json`.
+
 ### Why this matters
 
 Running `npm install` on a different Node major version (e.g. Node 25) causes:

AGENTS.md

@@ -34,6 +34,7 @@ Ready to get started? Check out the [CALM tutorials](https://calm.finos.org/tuto
 | [CALM AI](./calm-ai)                                                                           | [@rocketstack-matt](https://github.com/rocketstack-matt)                                                                                                                                                                             | No build, prompt tools only, managed separately to CLI for easier maintenance and broader reuse.                                                                                                                                                                                                                                                                                            |
 | [CALM Hub](./calm-hub)                                                                         | [@jpgough-ms](https://github.com/jpgough-ms), [@grahampacker-ms](https://github.com/grahampacker-ms)                                                                                                                                                                                       | [![Build Calm Hub](https://github.com/finos/architecture-as-code/actions/workflows/build-calm-hub.yml/badge.svg)](https://github.com/finos/architecture-as-code/actions/workflows/build-calm-hub.yml)                                                                                                                                                                                       |
 | [CALM Hub UI](./calm-hub-ui)                                                                   | [@aidanm3341](https://github.com/aidanm3341), [@aamanrebello](https://github.com/aamanrebello), [@yoofitt96](https://github.com/YoofiTT96)                                   | [![Build CALM Hub UI](https://github.com/finos/architecture-as-code/actions/workflows/build-calm-hub-ui.yml/badge.svg)](https://github.com/finos/architecture-as-code/actions/workflows/build-calm-hub-ui.yml)                                                                                                                                                                              |
+| [CALM-Server](./calm-server) | [@rocketstack-matt](https://github.com/rocketstack-matt), [@markscott-ms](https://github.com/markscott-ms)      | [![Build CALM Server](https://github.com/finos/architecture-as-code/actions/workflows/build-calm-server.yml/badge.svg)](https://github.com/finos/architecture-as-code/actions/workflows/build-calm-server.yml) |
 | [Docs](./docs)                                                                                 | [@rocketstack-matt](https://github.com/rocketstack-matt)                                                                                                                                                                             | [![Sync Docs to S3](https://github.com/finos/architecture-as-code/actions/workflows/s3-docs-sync.yml/badge.svg)](https://github.com/finos/architecture-as-code/actions/workflows/s3-docs-sync.yml) [![Build Docs](https://github.com/finos/architecture-as-code/actions/workflows/build-docs.yml/badge.svg)](https://github.com/finos/architecture-as-code/actions/workflows/build-docs.yml) |
 | [CALM VSCode Plugin](./calm-plugins/vscode)                                                    | [@LeighFinegold](https://github.com/LeighFinegold), [@rocketstack-matt](https://github.com/rocketstack-matt), [@markscott-ms](https://github.com/markscott-ms)                                                                                                                         | ![Build VS Code Extension](https://github.com/finos/architecture-as-code/workflows/Build%20VS%20Code%20Extension/badge.svg)                                                                                                                                                                                                                                                                 |