Merge branch 'main' into chore/issue-979-migrate-fetch-to-axios

Author: rocketstack-matt

.github/workflows/automated-release-calm-server.yml

@@ -53,7 +53,11 @@ jobs:
         with:
           node-version: 22
 
-      - run: npm ci
+      - name: Update to npm 11
+        run: npm install -g npm@11
+
+      - name: Install dependencies
+        run: npm ci
 
       - name: Check for existing changelog/version PRs
         run: |
@@ -183,7 +187,17 @@ jobs:
               NEXT_VERSION=$(grep "The next release version is" analysis.txt | sed 's/.*The next release version is \([^[:space:]]\+\).*/\1/')
               
               # Get current version from latest git tag instead of package.json
-              CURRENT_VERSION=$(git describe --tags --abbrev=0 2>/dev/null | sed 's/cli-v//')
+              CURRENT_VERSION=$(git describe --tags --abbrev=0 --match 'cli-v*' 2>/dev/null | sed 's/cli-v//')
+              
+              if [ -z "$CURRENT_VERSION" ]; then
+                echo "⚠️ No cli-v* git tag found; falling back to package.json version."
+                CURRENT_VERSION=$(node -p "require('./package.json').version" 2>/dev/null || echo "")
+              fi
+              
+              if [ -z "$CURRENT_VERSION" ]; then
+                echo "⚠️ package.json version unavailable; defaulting current version to 0.0.0."
+                CURRENT_VERSION="0.0.0"
+              fi
               
               echo "📋 Extracted versions:"
               echo "  Current: $CURRENT_VERSION"
@@ -230,8 +244,13 @@ jobs:
         with:
           node-version: 22
 
-      - run: npm ci
-      - run: npm run build
+      - name: Update to npm 11
+        run: npm install -g npm@11
+
+      - name: Install dependencies
+        run: npm ci
+
+      - run: npm run build:cli
 
       - name: Create version update PR
         run: |
@@ -374,7 +393,11 @@ jobs:
         with:
           node-version: 22
 
-      - run: npm ci
+      - name: Update to npm 11
+        run: npm install -g npm@11
+
+      - name: Install dependencies
+        run: npm ci
 
       - name: Create draft release
         env:
@@ -422,7 +445,7 @@ jobs:
       contains(github.event.pull_request.labels.*.name, 'automated-release')
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2
         with:
           egress-policy: audit
 
@@ -437,6 +460,10 @@ jobs:
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
         with:
           node-version: 22
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Update to npm 11
+        run: npm install -g npm@11
 
       - name: Install dependencies
         run: npm ci
@@ -481,6 +508,8 @@ jobs:
             --target main
 
       - name: Publish to NPM
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_SEMANTIC_RELEASE }}
         run: |
           cd cli
           npm publish --provenance

.github/workflows/automated-release.yml

@@ -21,7 +21,7 @@ jobs:
         env:
             SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
         container:
-            image: semgrep/semgrep@sha256:d3d1be3a3770514d16a6a57b9761575d7536d70f45a5220274f4ec7d55c442b9
+            image: semgrep/semgrep@sha256:e04d2cb132288d90035db8791d64f610cb255b21e727b94db046243b30c01ae9
         if: (github.actor != 'dependabot[bot]')
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

.github/workflows/semgrep-ci.yml

@@ -0,0 +1,35 @@
+name: Validate Lockfile Platforms
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    branches:
+      - 'main'
+      - 'release*'
+    paths:
+      - 'package-lock.json'
+  push:
+    branches:
+      - 'main'
+      - 'release*'
+    paths:
+      - 'package-lock.json'
+
+jobs:
+  validate-lockfile:
+    name: Validate Lockfile Platforms
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        with:
+          node-version: '22'
+
+      - name: Validate platform bindings in lockfile
+        run: node scripts/validate-lockfile-platforms.js

.github/workflows/validate-lockfile.yml

@@ -2,13 +2,3 @@
 # Blocks unsupported versions (e.g. Node 18, 20, 23) but still allows
 # Node 24+ since engines includes ">=24.10.0" for local development.
 engine-strict=true
-
-# Ensure npm resolves optional native bindings for all CI platforms,
-# not just the current developer machine. Prevents missing-binding
-# errors (e.g. @tailwindcss/oxide) when the lockfile is regenerated
-# on macOS but consumed on Linux runners.
-supportedArchitectures[os][]=current
-supportedArchitectures[os][]=linux
-supportedArchitectures[cpu][]=current
-supportedArchitectures[cpu][]=x64
-supportedArchitectures[cpu][]=arm64

.npmrc

@@ -71,6 +71,18 @@ The `engines` field in `package.json` (`^22.14.0 || >=24.10.0`) also permits Nod
 - **`@types/node`** is overridden to `^22.0.0` in root `package.json` to prevent transitive dependencies from pulling in a different major version
 - **Renovate** is configured with `allowedVersions: "<23.0.0"` for `@types/node`
 
+### Lockfile Regeneration
+
+**CRITICAL**: npm has a known bug ([npm/cli#4828](https://github.com/npm/cli/issues/4828)) where running `npm install` with an existing `node_modules` directory prunes optional platform-specific dependencies (e.g. `@tailwindcss/oxide`, `@swc/core`, `@esbuild`) for platforms other than the current machine. This causes CI failures on Linux runners when the lockfile was regenerated on macOS.
+
+**Correct method** — always delete both `node_modules` and the lockfile:
+
+```bash
+rm -rf node_modules package-lock.json && npm install
+```
+
+**Never** regenerate the lockfile without deleting `node_modules` first. The `validate-lockfile` CI workflow checks that all expected platform variants are present in `package-lock.json`.
+
 ### Why this matters
 
 Running `npm install` on a different Node major version (e.g. Node 25) causes:

AGENTS.md

@@ -21,7 +21,7 @@ Run `calm` with no arguments to see the top-level help:
 calm
 ```
 
-This displays available commands such as `generate`, `validate`, `init-ai`, `server`, `template`, and `docify`.
+This displays available commands such as `generate`, `validate`, `init-ai`, `template`, and `docify`.
 
 ## Generate Architectures from Patterns
 
@@ -134,19 +134,6 @@ At present Github Copilot (`copilot`), AWS Kiro (`kiro`), and Claude Code (`clau
 
 This generates custom prompts for the specified <provider> to use CALM-aware tools (nodes, relationships, interfaces, controls, flows, patterns, metadata).
 
-## CLI Server (Experimental)
-
-Expose CLI functionality over HTTP:
-
-```shell
-calm server --schema-directory <path>
-```
-
-Endpoints (default `http://127.0.0.1:3000`):
-
-- `GET /health` for health checks
-- `POST /calm/validate` with a CALM model payload to validate
-
 ## Template Command
 
 Generate arbitrary files from CALM models using Handlebars bundles: