Require explicit workspace for consumer scope

[sojanvarghese]

Checklist

• I have made corresponding changes to the documentation.
• I have added the necessary label (js or js with
  patch/minor/major - If publish is required).

[neeto-bugwatch]

🤖 NeetoBugWatch Review

I've analyzed your pull request and found some potential improvements that might be worth considering. Please review the specific line comments below for helpful suggestions.

💡 To trigger a re-review of this PR, add a comment with neeto-bugwatch-run on its own line (not inside a code block or blockquote).

Warning

Verdict: Needs review — 3 comments found, including major issues

Click to copy prompt for AI agent

Verdict: review_required

The following are code review comments from an AI reviewer that only has access
to the PR diff, not the full codebase. Treat every comment as a hypothesis,
not a fact. For each comment:

1. Investigate the verification questions against the full codebase first.
2. Go beyond the provided questions. Use your full codebase access to ask your
   own questions, check related code paths, and consider edge cases that the
   reviewer could not have seen from the diff alone.
3. Only implement the suggested fix if your investigation confirms the issue is real.
4. If the issue is not real, skip it entirely. Do not implement speculative fixes.

Prioritize by severity (critical > major > minor > trivial) and confidence score.
Only attend to comments with confidence below 0.5 if your investigation proves them valid.

[
  {
    "file_path": "js/src/index.ts",
    "line_number": 26,
    "comment": "By removing the previous fallback `options || {}`, invoking this class without any arguments in plain JavaScript will crash with a generic `TypeError: Cannot destructure property 'email' of 'undefined'` instead of the helpful `\"Email is required.\"` error below. Consider adding a default value like `= {} as Options` to the parameter to preserve the validation behavior.",
    "confidence": 0.95,
    "severity": "major",
    "suggested_fix": "Add a default empty object to the destructured options parameter.",
    "verification_questions": [
      "Is this package intended to be used by plain JavaScript clients where TypeScript's static checks won't prevent missing arguments?"
    ]
  },
  {
    "file_path": "js/test/index.test.ts",
    "line_number": 171,
    "comment": "Mutating `process.env` directly in tests can cause race conditions if Vitest runs other test files concurrently. Furthermore, if `previous` was `undefined`, assigning it back in the `finally` block sets it to the string `\"undefined\"`, which evaluates as truthy in JavaScript and may cause subsequent tests to silently read an invalid workspace. Consider using `vi.stubEnv()` or conditionally deleting the key.",
    "confidence": 0.95,
    "severity": "major",
    "suggested_fix": "Use conditionally `if (previous === undefined) delete process.env.NEETO_JWT_WORKSPACE; else process.env.NEETO_JWT_WORKSPACE = previous;` in the `finally` block, or use Vitest's `vi.stubEnv()`.",
    "verification_questions": [
      "Do multiple tests depend on `process.env.NEETO_JWT_WORKSPACE` being completely unassigned?",
      "Does Vitest run tests in parallel across files in this project?"
    ]
  },
  {
    "file_path": "js/test/index.test.ts",
    "line_number": 161,
    "comment": "Since `jsonwebtoken` is already imported and used elsewhere in the test suite, you can simplify this payload extraction by using `jwt.decode(token)` rather than manually splitting and Base64-decoding the string.",
    "confidence": 0.9,
    "severity": "trivial",
    "suggested_fix": "Replace the manual string splitting and buffer decoding with `const payload = jwt.decode(token);`.",
    "verification_questions": []
  }
]

[sojanvarghese]

neeto-bugwatch-run

[neeto-bugwatch]

🤖 NeetoBugWatch Review

I've analyzed your pull request and found some potential improvements that might be worth considering. Please review the specific line comments below for helpful suggestions.

💡 To trigger a re-review of this PR, add a comment with neeto-bugwatch-run on its own line (not inside a code block or blockquote).

Tip

Verdict: Good to merge — 1 minor suggestion, no significant issues found

Click to copy prompt for AI agent

Verdict: clean

The following are code review comments from an AI reviewer that only has access
to the PR diff, not the full codebase. Treat every comment as a hypothesis,
not a fact. For each comment:

1. Investigate the verification questions against the full codebase first.
2. Go beyond the provided questions. Use your full codebase access to ask your
   own questions, check related code paths, and consider edge cases that the
   reviewer could not have seen from the diff alone.
3. Only implement the suggested fix if your investigation confirms the issue is real.
4. If the issue is not real, skip it entirely. Do not implement speculative fixes.

Prioritize by severity (critical > major > minor > trivial) and confidence score.
Only attend to comments with confidence below 0.5 if your investigation proves them valid.

[
  {
    "file_path": "js/test/index.test.ts",
    "line_number": 160,
    "comment": "The `jwt.decode` function from `@types/jsonwebtoken` returns a union type (`null | JwtPayload | string`). Accessing `.workspace` on this result without type assertion or narrowing may cause a TypeScript compilation error under strict type-checking.",
    "confidence": 0.85,
    "severity": "trivial",
    "suggested_fix": "Cast the decoded payload to explicitly indicate it is an object with a workspace property, e.g., `const payload = jwt.decode(token) as jwt.JwtPayload;`.",
    "verification_questions": [
      "Is strict TypeScript checking enabled for the test files?",
      "Are there currently type-check errors in CI when running `tsc --noEmit` on the tests?"
    ]
  }
]

[sojanvarghese]

@VarunSriram99 _a Please review.