Migrate JSONC reader + line locators to agent-gov-core@v0.1.1

action.yml

@@ -1,3 +1,3 @@
 name: ScopeTrail
 description: Code review for AI agent permission drift in pull requests.
 author: Conal
@@ -35,6 +35,10 @@
 runs:
   using: composite
   steps:
+    - name: Install ScopeTrail dependencies
+      shell: bash
+      working-directory: ${{ github.action_path }}
+      run: npm ci --omit=dev --no-audit --no-fund
     - name: Run ScopeTrail permission drift review
       id: run
       shell: bash

dist/discovery.js

@@ -1,12 +1,19 @@
 import { readFile } from 'node:fs/promises';
 import { join } from 'node:path';
+import { stripJsonComments, lineOfJsonKey as coreLineOfJsonKey, lineOfJsonStringValue as coreLineOfJsonStringValue, } from 'agent-gov-core';
 export async function readJsonObject(path) {
     return (await readJsonObjectWithSource(path)).json;
 }
+/**
+ * Read a JSONC file. Comments and trailing commas are stripped via
+ * agent-gov-core, then JSON.parse runs against the stripped (but
+ * position-preserving) text. Missing files resolve to an empty object so
+ * detectors can run on repos that haven't adopted Claude settings yet.
+ */
 export async function readJsonObjectWithSource(path) {
     try {
         const raw = await readFile(path, 'utf8');
-        const parsed = JSON.parse(raw);
+        const parsed = JSON.parse(stripJsonComments(raw));
         return { json: isRecord(parsed) ? parsed : {}, text: raw };
     }
     catch (error) {
@@ -23,20 +30,12 @@
     return typeof value === 'object' && value !== null && !Array.isArray(value);
 }
 export function lineOfJsonKey(text, key) {
-    const keyPattern = new RegExp(`"${escapeRegExp(key)}"\\s*:`);
-    return lineOfPattern(text, keyPattern);
+    const line = coreLineOfJsonKey(text, key);
+    return line === 0 ? undefined : line;
 }
 export function lineOfJsonStringValue(text, value) {
-    const encoded = JSON.stringify(value);
-    return lineOfPattern(text, new RegExp(escapeRegExp(encoded)));
-}
-function lineOfPattern(text, pattern) {
-    const lines = text.split(/\r?\n/);
-    const index = lines.findIndex((line) => pattern.test(line));
-    return index === -1 ? undefined : index + 1;
-}
-function escapeRegExp(value) {
-    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const line = coreLineOfJsonStringValue(text, value);
+    return line === 0 ? undefined : line;
 }
 function isNodeError(error) {
     return error instanceof Error && 'code' in error;

package.json

@@ -10,6 +10,9 @@
     "build": "tsc -p tsconfig.json",
     "test": "node --test"
   },
+  "dependencies": {
+    "agent-gov-core": "github:Conalh/agent-gov-core#v0.1.1"
+  },
   "devDependencies": {
     "@types/node": "^24.0.0",
     "typescript": "^5.9.3"

src/discovery.ts

@@ -1,5 +1,10 @@
 import { readFile } from 'node:fs/promises';
 import { join } from 'node:path';
+import {
+  stripJsonComments,
+  lineOfJsonKey as coreLineOfJsonKey,
+  lineOfJsonStringValue as coreLineOfJsonStringValue,
+} from 'agent-gov-core';
 
 export async function readJsonObject(path: string): Promise<Record<string, unknown>> {
   return (await readJsonObjectWithSource(path)).json;
@@ -10,10 +15,16 @@
   text: string;
 }
 
+/**
+ * Read a JSONC file. Comments and trailing commas are stripped via
+ * agent-gov-core, then JSON.parse runs against the stripped (but
+ * position-preserving) text. Missing files resolve to an empty object so
+ * detectors can run on repos that haven't adopted Claude settings yet.
+ */
 export async function readJsonObjectWithSource(path: string): Promise<JsonObjectSource> {
   try {
     const raw = await readFile(path, 'utf8');
-    const parsed: unknown = JSON.parse(raw);
+    const parsed: unknown = JSON.parse(stripJsonComments(raw));
     return { json: isRecord(parsed) ? parsed : {}, text: raw };
   } catch (error) {
     if (isNodeError(error) && error.code === 'ENOENT') {
@@ -33,23 +44,13 @@
 }
 
 export function lineOfJsonKey(text: string, key: string): number | undefined {
-  const keyPattern = new RegExp(`"${escapeRegExp(key)}"\\s*:`);
-  return lineOfPattern(text, keyPattern);
+  const line = coreLineOfJsonKey(text, key);
+  return line === 0 ? undefined : line;
 }
 
 export function lineOfJsonStringValue(text: string, value: string): number | undefined {
-  const encoded = JSON.stringify(value);
-  return lineOfPattern(text, new RegExp(escapeRegExp(encoded)));
-}
-
-function lineOfPattern(text: string, pattern: RegExp): number | undefined {
-  const lines = text.split(/\r?\n/);
-  const index = lines.findIndex((line) => pattern.test(line));
-  return index === -1 ? undefined : index + 1;
-}
-
-function escapeRegExp(value: string): string {
-  return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+  const line = coreLineOfJsonStringValue(text, value);
+  return line === 0 ? undefined : line;
 }
 
 function isNodeError(error: unknown): error is NodeJS.ErrnoException {

test/action-metadata.test.mjs

@@ -24,14 +24,18 @@ test('GitHub Action metadata exposes PR drift inputs', async () => {
   assert.match(action, /--format github/);
 });
 
-test('GitHub Action uses committed runtime without installing dependencies in consumer workflows', async () => {
+test('GitHub Action uses committed dist and a deps-only install (no build) in consumer workflows', async () => {
   const action = await readFile(join(packageRoot, 'action.yml'), 'utf8');
   const gitignore = await readFile(join(packageRoot, '.gitignore'), 'utf8');
 
   assert.match(action, /node "\$GITHUB_ACTION_PATH\/dist\/index\.js" diff --repo/);
-  assert.doesNotMatch(action, /npm ci/);
+  // dist/ is committed so consumers don't run a TypeScript build at action time.
   assert.doesNotMatch(action, /npm run build/);
+  assert.doesNotMatch(action, /tsc /);
   assert.doesNotMatch(gitignore, /^dist\/$/m);
+  // After the agent-gov-core migration the action installs runtime deps only
+  // (--omit=dev) so the external import resolves without a build step.
+  assert.match(action, /npm ci .*--omit=dev/);
 });
 
 test('public Action install tags match package version', async () => {