Merge remote-tracking branch 'origin/develop' into sm/W-23147786-refactor-apex-testing-sfcommandlet-to-ef

Author: mshanemc

.claude/plans/W-23094888.md

@@ -0,0 +1,31 @@
+# W-23094888 — Enable unicorn/no-array-sort-for-min-max
+
+## Context
+- Enable `unicorn/no-array-sort-for-min-max`: disallow `[...].sort()[0]` for min/max; prefer `Math.min`/`Math.max`.
+- Rule exists in `eslint-plugin-unicorn` v68 (`node_modules/.../rules/no-array-sort-for-min-max.js`).
+- Depends W-23094887 (`prefer-boolean-return`) — already merged (commit afef5779a).
+- Add to `eslint.config.mjs` `**/*.ts` block, alphabetical: between `unicorn/no-array-sort` (172) and `unicorn/no-boolean-sort-comparator` (173).
+- Prior pattern: single `chore(eslint): enable unicorn/<rule>` commit (e.g. 48f4e16aa, afef5779a).
+
+## Scope (verified via lint)
+- 0 violations across repo. Built `packages/eslint-local-rules`, enabled rule, ran eslint → 0 `no-array-sort-for-min-max` hits.
+- Pre-existing 217 errors (unused vars `scripts/`, xsd parsing) — unrelated.
+- No-op enablement: config-only, no source fixes.
+
+## Phases
+
+### Phase 1 — enable rule
+- Add `'unicorn/no-array-sort-for-min-max': 'error',` after `'unicorn/no-array-sort': 'error',` line in `eslint.config.mjs`.
+- Build local rules first (`packages/eslint-local-rules`), else ERR_MODULE_NOT_FOUND.
+- files: `eslint.config.mjs`
+- commit: `chore(eslint): enable unicorn/no-array-sort-for-min-max - W-23094888`
+
+## Skills
+- concise (plan/docs style)
+- typescript (eslint.config.mjs governs TS files)
+- verification (lint gate)
+- changelog (lint-only chore; prior unicorn enables had no entry — confirm none needed)
+
+## Verification
+- No e2e/runtime impact: pure lint config, 0 source changes.
+- No unit/Playwright needed — no source touched.

.claude/plans/W-23094893.md

@@ -0,0 +1,24 @@
+# W-23094893 — Enable unicorn/no-collection-bracket-access
+
+## Context
+- Disallow bracket notation on Map/Set/WeakMap/WeakSet (sets obj prop, not entry)
+- eslint-plugin-unicorn v68; rule exists; suggestions-only (no autofix)
+- Dep W-23094891 (no-chained-comparison): Closed/merged — unblocked
+- Config: root `eslint.config.mjs`, unicorn rules block, alphabetical
+- Insert after `unicorn/no-chained-comparison` (line 175), before `unicorn/no-constant-zero-expression`
+- Probe (rule temporarily enabled, lint `packages/**/*.ts`): 0 violations — no code fixes needed
+
+## Phases
+
+### Phase 1 — enable rule
+- `eslint.config.mjs`: add `'unicorn/no-collection-bracket-access': 'error',` after `no-chained-comparison`
+- commit: `chore(eslint): enable unicorn/no-collection-bracket-access - W-23094893`
+
+## Skills
+- concise (plan/docs)
+- typescript
+- verification
+
+## Verification
+- `npm run lint` clean (root) — exercises rule across all pkg lint deps
+- not e2e-covered (lint-only change)

.claude/plans/W-23127988.md

@@ -0,0 +1,44 @@
+# W-23127988 — E2E flake: LWC LSP hover lightning-accordion
+
+## Context
+
+- retryRate 67%. Flake, not product defect (run 27976286397: retry 0 fail, retry 1 pass).
+- `waitForLwcLspReady` (`lwcUtils.ts:222`) gates only on index-status UI item, not `doHover` readiness.
+- HTML hover step in `lwcLspHover.headless.spec.ts` (step "hover over lightning-accordion tag and verify the LWC LSP hover card appears", currently ~lines 57-76) does single `hover()` + one-shot `expect(.monaco-hover).toBeVisible({timeout:15_000})`.
+- Cold-LSP: hover provider not ready when index item shows; single hover that misses never re-triggers → `.monaco-hover` never visible → fail.
+- Fix per WI: poll inside `toPass` — re-hover + assert.
+- Reference steps by their `test.step` title, not line numbers (file is 117 lines and grows; line-number-only refs go stale).
+
+## Phases
+
+### Phase 1 — gate HTML hover on availability via toPass re-hover
+
+- File: `packages/salesforcedx-vscode-lwc/test/playwright/specs/lwcLspHover.headless.spec.ts`
+- Target: the HTML hover-verify `test.step` ("hover over lightning-accordion tag…"); wrap only the `hover()` + `.monaco-hover` assert (not the `goToLineCol` / `waitFor` setup) in `expect(async () => {...}).toPass({ timeout })`.
+- Each attempt: `tagToken.hover()`, then assert `.monaco-hover` w/ `View in Component Library` visible.
+- **Open question — must re-trigger fire on every attempt?** Hypothesis: if the pointer is already over the token, Monaco may not recompute the hover, so a missed first attempt never repaints. NOT verified — no Monaco source in `node_modules`, no repo precedent for mouse-move-away. Do NOT bake the move-away into the code as an asserted fact.
+  - Implementation: keep each `toPass` attempt self-contained so a stale/absent hover is re-driven. Before each `hover()`, dismiss any open hover (e.g. `page.keyboard.press('Escape')`) and/or move the pointer off the token (`page.mouse.move` to editor body coords) so the next `hover()` is a genuine pointer transition. This is defensive: harmless if Monaco re-fires anyway, necessary if it suppresses same-token re-hover.
+  - The move-away/Escape mechanism must be **confirmed in the local verification step** (below) — observe `.monaco-hover` actually disappear then reappear across attempts — before relying on it. If local run shows a bare re-`hover()` already repaints, drop the move-away to keep the step minimal.
+- Drop inner 15_000 → short per-attempt assert timeout; outer `toPass` timeout ~45_000.
+- Precedent: `lwcRename.headless.spec.ts:80-82,106-108` (toPass poll on flaky debounced UI); `lwcCustomComponentsIndex.headless.spec.ts:45`. (Precedent covers the toPass-around-flaky-assert pattern, NOT the hover re-trigger specifics.)
+- Commit: `test(lwc): poll lightning-accordion hover in toPass for cold-LSP - W-23127988`
+
+### Phase 2 (optional, same commit if cheap) — apply same poll to JS hover
+
+- Same file, JS hover-verify `test.step` ("hover over LightningElement…", desktop-only, 20_000 one-shot). Same cold-LSP race on `LightningElement` hover.
+- Wrap the `hover()` + `.monaco-hover` assert in `toPass` for consistency (same re-trigger handling as Phase 1); reduces future flake.
+- Fold into Phase 1 commit (one logical change: hover-readiness polling).
+
+## Skills to apply
+
+- playwright-e2e (toPass for async UI; avoid one-shot asserts on LSP-dependent UI)
+- concise (plan + any comments)
+
+## Verification
+
+- e2e-covered: the spec itself is the test — green run on branch confirms fix. Run `npm run test:web -w salesforcedx-vscode-lwc -- --retries 0` (and/or `test:desktop`); the `lwcPlaywrightE2E` CI workflow runs this on ubuntu (where flake observed). Ideally repeated runs to confirm retryRate drop.
+- Not e2e-covered:
+  - `npm run compile` / typecheck spec file (no `let`, ternary, etc. per eslint).
+  - eslint clean on changed spec.
+  - **Confirm the re-trigger mechanism before PR** — local run (or PWDEBUG/headed) with `--retries 0` (`npm run test:web -w salesforcedx-vscode-lwc -- --retries 0`, so flake is observed not masked) on the HTML hover step: watch the DOM and verify across at least two `toPass` attempts that `.monaco-hover` actually disappears and reappears. This proves the loop re-drives a missed hover. If a bare re-`hover()` already repaints, drop the Escape/move-away. If even the move-away does not re-fire, escalate: the toPass loop is then ineffective and Phase 1 needs a different trigger (e.g. dispatch synthetic `mousemove`, or re-focus the token via `goToLineCol`).
+  - **Status:** as committed, the Escape + editor-body `mouse.move` is retained defensively — the local confirm-and-trim step above was not performed, so the move-away is kept (harmless if Monaco re-fires anyway). Trim only after the local DOM observation confirms a bare re-`hover()` repaints.

.claude/plans/W-23161119.md

@@ -0,0 +1,34 @@
+# W-23161119: bump @stoplight/spectral-rulesets 1.22.0 -> 1.22.4
+
+## Context
+
+- Dependabot alert 297: lodash <=4.17.23 prototype pollution via `_.unset`/`_.omit` (CVE-2026-2950, GHSA-f23m-r3pf-42rh). Patched 4.18.0.
+- `@stoplight/spectral-rulesets@1.22.0` deps lodash `~4.17.21` -> root-hoisted lodash pinned 4.17.23 (only vuln copy; nested spectral-core/functions copies already 4.18.1).
+- `1.22.4` deps lodash `^4.18.1` (verified via `npm view`). lodash 4.18.1 published.
+- Single repo ref: `packages/salesforcedx-vscode-apex-oas/package.json`.
+
+## Phases
+
+### Phase 1: bump dep + regenerate lock
+
+- edit `packages/salesforcedx-vscode-apex-oas/package.json` dep `@stoplight/spectral-rulesets` `1.22.0` -> `1.22.4`
+- `npm install` from root (workspace) -> regenerate `package-lock.json`; root lodash hoists 4.17.23 -> 4.18.1
+- files: `packages/salesforcedx-vscode-apex-oas/package.json`, `package-lock.json`
+- commit: `fix(apex-oas): bump @stoplight/spectral-rulesets to 1.22.4 (lodash CVE-2026-2950) - W-23161119`
+
+## Skills to apply
+
+- packageJson — dep edit conventions
+- typescript — TS conventions
+- verification — confirm done
+
+## Verification
+
+- `node -e "..."` on `package-lock.json`: root `node_modules/lodash` version == `4.18.1`
+- `npm audit` lodash vuln gone
+- spectral-rulesets lock entry == 1.22.4
+- apex-oas compile passes
+- jest spec directly exercising Spectral core + custom ruleset passes: `npm --workspace packages/salesforcedx-vscode-apex-oas test -- ruleset.spectral.test` (spec at `packages/salesforcedx-vscode-apex-oas/test/jest/oas/documentProcessingPipeline/ruleset.spectral.test.ts` imports `@stoplight/spectral-core` + `src/oas/documentProcessorPipeline/ruleset.spectral`, runs `spectral.setRuleset(ruleset)` + `spectral.run`)
+- org-gated e2e: 9 `*.headless.spec.ts` specs under `packages/salesforcedx-vscode-apex-oas/test/playwright/specs/` validate the spectral path
+- e.g. `decomposedSimpleAccount.headless.spec.ts` asserts `expectProblemsCount(page, 0)` after `SFDX: Validate OpenAPI Document`
+- requires a scratch org; CI `apexOasE2E.yml` gates the PR — no local pre-PR e2e needed

.claude/plans/W-23161121.md

@@ -0,0 +1,50 @@
+# W-23161121 — clear lodash CVE-2026-2950 (commitizen 4.3.2 + spectral-rulesets 1.22.4)
+
+## Context
+- Dependabot alert 297: lodash <=4.17.23 prototype pollution (`_.unset`/`_.omit`), CVE-2026-2950 / GHSA-f23m-r3pf-42rh. Patched 4.18.0.
+- Root `node_modules/lodash` = 4.17.23 (vulnerable). Single root `package-lock.json`; npm workspaces (`packages/*`); `bootstrap = npm install`.
+- Two distinct pinners hold root lodash at 4.17.x — both must move or a 4.17.x copy survives:
+
+### Pinner A — commitizen (dev tooling)
+- `commitizen@4.3.1` (transitive via `cz-conventional-changelog@3.3.0`) pins `lodash@4.17.21` (nested copy at `node_modules/commitizen/node_modules/lodash` = 4.17.21).
+- `commitizen@4.3.2` pins `lodash@4.18.1`; `cz-conventional-changelog` range `commitizen@^4.0.3` allows 4.3.2 — no package.json edit needed (lockfile-only).
+
+### Pinner B — spectral-rulesets (RUNTIME dep, ships in VSIX)
+- `@stoplight/spectral-rulesets@1.22.0` pins `lodash: ~4.17.21` (>=4.17.21 <4.18.0) — no 4.18.x satisfies. Verified via package-lock.json + `npm view @stoplight/spectral-rulesets@1.22.0 dependencies.lodash`.
+- NOT dev-only: pinned `"1.22.0"` under `dependencies` in `packages/salesforcedx-vscode-apex-oas/package.json:38`, imported at runtime in `src/oas/documentProcessorPipeline/ruleset.spectral.ts` and bundled via the `vscode:bundle` script.
+- Bumping only commitizen leaves a 4.17.x lodash for spectral — CVE not cleared in shipped extension.
+- Fix: bump `@stoplight/spectral-rulesets` to `1.22.4`, which ships `lodash: ^4.18.1` (verified `npm view ...@1.22.4 dependencies.lodash`). 1.22.4 depends on `@stoplight/spectral-core@1.23.0` (exact) — already installed (1.23.0); no spectral-core change needed.
+
+## Phases
+
+### Phase 1 — bump spectral-rulesets (runtime, unblocks lodash float)
+- Edit `packages/salesforcedx-vscode-apex-oas/package.json:38` — `"@stoplight/spectral-rulesets": "1.22.0"` → `"1.22.4"`.
+
+### Phase 2 — float commitizen + reinstall
+- `npm update commitizen` → nested commitizen 4.3.1→4.3.2, its lodash 4.17.21→4.18.1.
+- `npm install` → resolve/dedupe; root lodash 4.17.23→4.18.x (now unblocked by both pinners).
+- Stage `package.json` (apex-oas) + `package-lock.json`. Confirm no other package.json changed.
+- Commit msg: `fix(deps): bump commitizen 4.3.2 + spectral-rulesets 1.22.4 to clear lodash CVE-2026-2950 - W-23161121`
+
+## Skills to apply
+- packageJson — dependency/lockfile conventions, exact-pin style
+- typescript
+- verification
+
+## Verification
+<!-- targeted: root-only check can false-pass -->
+- `node_modules/commitizen` version = 4.3.2.
+- `node_modules/commitizen/node_modules/lodash` = 4.18.1, OR absent (promoted to root). Either is acceptable.
+- `node_modules/@stoplight/spectral-rulesets` version = 1.22.4; its lodash constraint now `^4.18.1`.
+- Root `node_modules/lodash` >= 4.18.0.
+- Enumerate every `node_modules/**/lodash` (root + all nested) in `package-lock.json`; assert NONE is < 4.18.0.
+- Any 4.17.x survivor: trace via `npm explain lodash`, resolve before commit.
+- `npm ls commitizen` — 4.3.2 under cz-conventional-changelog.
+- `npm audit` (lodash advisory) — CVE-2026-2950 / GHSA-f23m-r3pf-42rh cleared.
+- `npm run check:dupes` — check `jscpd-report` for flagged changes.
+- `git diff --stat` — only apex-oas `package.json` + root `package-lock.json` changed.
+
+## e2e / runtime coverage
+- 1.22.4 bump is runtime/shipped (apex-oas OAS pipeline).
+- Run apex-oas OAS validation step (`oasValidationStep` / `ruleset.spectral.ts`); confirm ruleset loads. spectral-core stays at 1.23.0 — behavior unchanged, but verify.
+- commitizen change remains build-tooling only (no e2e surface).

.github/workflows/apexLogE2E.yml

@@ -56,7 +56,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '22'
+          node-version: '22.22.3'
           cache: 'npm'
 
       - uses: google/wireit@setup-github-actions-caching/v2
@@ -185,7 +185,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '22'
+          node-version: '22.22.3'
           cache: 'npm'
 
       - uses: google/wireit@setup-github-actions-caching/v2

.github/workflows/apexLspE2E.yml

@@ -66,7 +66,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '22'
+          node-version: '22.22.3'
           cache: 'npm'
 
       - uses: google/wireit@setup-github-actions-caching/v2

.github/workflows/apexOasE2E.yml

@@ -70,7 +70,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '22'
+          node-version: '22.22.3'
           cache: 'npm'
 
       - uses: google/wireit@setup-github-actions-caching/v2

.github/workflows/apexReplayDebuggerE2E.yml

@@ -70,7 +70,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '22'
+          node-version: '22.22.3'
           cache: 'npm'
 
       - uses: google/wireit@setup-github-actions-caching/v2

.github/workflows/apexTestingE2E.yml

@@ -56,7 +56,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '22'
+          node-version: '22.22.3'
           cache: 'npm'
 
       - uses: google/wireit@setup-github-actions-caching/v2
@@ -209,7 +209,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '22'
+          node-version: '22.22.3'
           cache: 'npm'
 
       - uses: google/wireit@setup-github-actions-caching/v2