Replace dependency npm-run-all with npm-run-all2 ^5.0.0 - autoclosed#1
Closed
renovate[bot] wants to merge 1 commit into
Closed
Replace dependency npm-run-all with npm-run-all2 ^5.0.0 - autoclosed#1renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
6 tasks
davidpoblador
added a commit
that referenced
this pull request
May 30, 2026
## Summary Closes #1938. Smooths the four friction points the issue hit when adopting the htmx `hx-csp` extension under a strict (no `unsafe-eval`) CSP. ### 1. Re-export the extension (friction #1 + #2) - New `vibetuner-js/htmx-csp.js` + `"./htmx/csp"` export, mirroring the existing `htmx/preload`, `htmx/sse`, `htmx/live`. Projects now `import "@alltuner/vibetuner/htmx/csp";` with **no direct `htmx.org` devDependency** — which previously had to be pinned by hand and would drift from the framework's htmx the moment it bumped. - Verified the re-export bundles with bun (`htmx.registerExtension("hx-csp")` lands in the output). ### 2. `body_attrs` skeleton block (friction #4) - The `<body>` tag had no attribute hook, forcing a full skeleton override just to add the nonce. Added `{% block body_attrs %}` so projects stamp a **single inherited nonce**: `hx-nonce:inherited="{{ csp_nonce }}"`. Verified against the htmx 4 source that `:inherited` resolves `hx-nonce` from ancestors and the extension reads it via the same `attributeValue` path — so one stamp on `<body>` covers every htmx element. ### 3. `htmx_config` skeleton block (friction #3) - `htmx.config.safeEval` must be set before the extension's `init`, but ESM hoists imports so `htmx.config.safeEval = true` in `config.js` runs too late. The htmx-native fix is the `<meta name="htmx-config">` tag — **but** htmx reads that meta *synchronously when its script evaluates* (`#initHtmxConfig` in the constructor), not at DOMContentLoaded. The skeleton's `head` block renders *after* the bundle script, so it would be too late. - Added a dedicated `{% block htmx_config %}` positioned **just before** the bundle script, so a meta placed there is parsed first. Documented: ```jinja {% block htmx_config %} <meta name="htmx-config" content='extensions:"hx-csp",safeEval:true'> {% endblock htmx_config %} ``` ### 4. Docs - `development-guide.md`, `llms.txt`, `llms-full.txt` updated to the new import path, the `body_attrs` single-stamp pattern, and the `htmx_config`/meta safeEval approach. ## Testing - `test_skeleton_extension_points.py`: new `TestBodyAttrs` (renders inside `<body>`, empty by default) and `test_htmx_config_block_renders_before_bundle_js` (ordering invariant — the whole point of the block). - Full unit suite: **902 passed**. ruff, djlint, rumdl all clean (pre-commit green). `node --check` on the new JS, and a bun build of the re-export. ## Notes - Docs reference "added in 10.20.0" as the version that introduces the `@alltuner/vibetuner/htmx/csp` subpath (next minor after the just-released 10.19.0). - The existing explicit `hx-nonce` on `user/profile.html.jinja` is left as-is — harmless, and it inherits correctly whether or not a project sets `body_attrs`. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
davidpoblador
added a commit
that referenced
this pull request
Jun 2, 2026
## Summary Fixes #1974. `vibetuner worker-health` paid the full CLI/app bootstrap before it ever read the streaq health key. The console script was `vibetuner.cli:app`, so importing the CLI package eagerly imported every sub-command **and** ran `load_app_config()`, which imports the user's entire `tune.py` (config, `BlobService`, rate limiter). On a real deploy that bootstrap takes ~5s, so every probe was killed at the scaffolded healthcheck's `timeout: 5s` (ExitCode -1) before the check logic ran, and a healthy worker flapped to permanently `unhealthy`. ## Fix This is the issue's suggested fix #1 (lightweight fast path), done at the root cause — the entry point. - The console entry is now `vibetuner.cli:main`. `main()` dispatches `worker-health` straight to a lightweight check **before** the heavy Typer app is imported. - New `vibetuner/cli/health.py` holds the check: it imports only `vibetuner.config` and a Redis client, then reads the `streaq:{queue}:health:*` key. Same exit-code contract as before. - The full Typer app (every command + the user CLI via `load_app_config()`) moved to `vibetuner/cli/root.py`, built lazily. `vibetuner.cli.__init__` stays tiny and re-exposes `app`/`AsyncTyper` lazily via `__getattr__` for existing importers. - `python -m vibetuner` now routes through `main()` too, so the fast path applies there as well. - Template `pyproject.toml.j2` entry point bumped to `vibetuner.cli:main` so new scaffolds get the fast path. The healthcheck now returns in well under a second, comfortably inside the existing 5s timeout — no timeout bump needed (issue suggestion #2 left untouched). ## Verification - `uv run vibetuner worker-health` and `python -m vibetuner worker-health` complete in ~0.4s; the fast path does **not** import `vibetuner.cli.root`, `scaffold`, or `copier` (verified via a fresh-interpreter regression test). - `version` and all other commands still build the full app unchanged. - Full unit suite green (961 passed), including the existing 4 worker-health tests plus a new fast-path regression test. ## Docs - `cli-reference.md` notes the fast-path behavior for ops users tuning healthcheck timeouts. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^4.1.5->^5.0.0This is a special PR that replaces
npm-run-allwith the community suggested minimal stable replacement version.Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.