Skip to content

Extend validate-workspace-dep-coverage to catch missing npm deps + non-workspace COPY needs in Dockerfile.worker #4909

Description

@claude

Observed evidence

In the 2026-05-18 deploy window, two consecutive PRs were needed to get the worker image building correctly:

PR #4901 fixed wiki-server route imports leaking into the worker. PR #4903 then had to fix:

  1. 10 npm packages that weren't in docker/worker/package.json (first one prod hit: proper-lockfile)
  2. data/schema.ts which wasn't COPY'd into the image

Found at runtime in prod after enqueueing a real backfill-sources job.

The gap

The existing validator crux/validate/validate-workspace-dep-coverage.ts checks that every @longterm-wiki/* workspace dep used in crux/ is declared in docker/worker/package.json and that every file: workspace dep has a matching COPY line. It does not check:

  1. Regular npm packages imported transitively from crux.mjs — when a new crux command imports e.g. proper-lockfile, nothing flags that the worker package.json is now missing that dep.
  2. Non-workspace files copied from outside crux/ (like data/schema.ts) — the worker crux.mjs static-import graph can pull in arbitrary repo files, and there's no check that every imported file is present in the image.

Proposed extension

Extend the validator to:

  1. Scan the worker's static import graph rooted at crux/run.mjs (or whatever the worker's entry is).
  2. Collect every imported npm package and assert it's declared in docker/worker/package.json.
  3. Collect every relative file import that leaves crux/ (e.g. ../data/..., ../apps/.../...) and assert there's a matching COPY line in Dockerfile.worker before pnpm install --prod.

The principle is the same as the existing validator (find the gap mechanically, fail-closed in CI), just applied to the broader dependency graph that the worker actually uses at runtime.

Why this matters

The "fix the system, not the instance" principle in CLAUDE.md: each missing dep is one PR away from causing a prod backfill-job failure. After two of these in one week, the validator should subsume the manual reasoning.

Related: see also docs/agent-rules/dockerfile-postinstall-trap.md (sub-app Dockerfiles, different but related class).

Discovery context

Filed during weekly maintenance sweep 2026-05-24 — auto-generated PR for context.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions