chore: add onlyBuiltDependencies after installing amazon-cognito-identity-js

[jonathan-nicoletti]

Summary

• pnpm install auto-generated an onlyBuiltDependencies list in the root package.json when amazon-cognito-identity-js was pulled in as a new dependency for this PR
• Without this, pnpm install on a fresh clone will warn/fail on the new dependency's install scripts
• All CI checks pass with this change (turbo run lint && typecheck && test, 14/14 tasks)

Test plan

• Ran pnpm install on the t3code/claris-id-support branch
• Ran pnpm run ci — 14/14 tasks successful, zero failures
• Ran Claris ID smoke test against iasp.account.filemaker-cloud.com — all 5 operations passed

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated package dependency management configuration to optimize build handling for specific packages requiring native compilation during installation.

[changeset-bot]

⚠️ No Changeset found

Latest commit: a25fb13

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

@jonathan-nicoletti is attempting to deploy a commit to the Proof Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

📝 Walkthrough

Walkthrough

A pnpm.onlyBuiltDependencies configuration array was added to package.json, specifying ten packages (@parcel/watcher, @prisma/client, @prisma/engines, better-sqlite3, es5-ext, esbuild, msgpackr-extract, msw, prisma, sharp) for pnpm's built dependency handling.

Changes

Cohort / File(s)	Summary
pnpm Configuration package.json	Added pnpm.onlyBuiltDependencies configuration array with 10 packages that require built-from-source compilation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a pnpm onlyBuiltDependencies configuration after installing amazon-cognito-identity-js.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 61-72: The onlyBuiltDependencies allowlist contains packages that
aren't present or marked as requiring builds in our repo (see
onlyBuiltDependencies array), so audit and shrink this list: inspect the
monorepo package.json files and the lockfile to find packages with
requiresBuild/hasNativeBuild flags (or that are direct dev/prod dependencies),
remove entries not referenced (e.g., sharp, esbuild, better-sqlite3,
`@parcel/watcher`, msgpackr-extract, msw, es5-ext unless you confirm they truly
require a build), and keep only genuine build-dependent packages (likely the
`@prisma/`* entries if confirmed). After updating the onlyBuiltDependencies array,
run the verification script/CI locally against the lockfile to ensure no false
positives and commit the cleaned list.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 33fc7ae0-0b0a-42ad-a851-0e4b8a8bf2c2

📥 Commits

Reviewing files that changed from the base of the PR and between 2f0f8f3 and a25fb13.

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

LOCKFILE="$(fd -HI '^pnpm-lock\.yaml$' | head -n1)"
if [[ -z "${LOCKFILE:-}" ]]; then
  echo "pnpm-lock.yaml not found"
  exit 1
fi

python - <<'PY'
import json, re, pathlib, sys

pkg = json.loads(pathlib.Path("package.json").read_text())
allow = set(pkg.get("pnpm", {}).get("onlyBuiltDependencies", []))

lock_path = pathlib.Path("pnpm-lock.yaml")
if not lock_path.exists():
    # fallback if lockfile is not at repo root
    import subprocess
    found = subprocess.check_output(
        ["bash", "-lc", "fd -HI '^pnpm-lock\\.yaml$' | head -n1"],
        text=True
    ).strip()
    if not found:
        print("pnpm-lock.yaml not found")
        sys.exit(1)
    lock_path = pathlib.Path(found)

lines = lock_path.read_text(encoding="utf-8", errors="ignore").splitlines()

in_packages = False
current_key = None
requires_build = set()

key_re = re.compile(r"^\s{2}(?:'([^']+)'|\"([^\"]+)\"|([^:\s][^:]*)):\s*$")
req_re = re.compile(r"^\s{4}requiresBuild:\s*true\s*$")

for line in lines:
    if line.strip() == "packages:":
        in_packages = True
        current_key = None
        continue
    if in_packages and re.match(r"^\S", line):  # next top-level section
        in_packages = False
        current_key = None
    if not in_packages:
        continue

    km = key_re.match(line)
    if km:
        current_key = next(g for g in km.groups() if g)
        continue

    if current_key and req_re.match(line):
        base = current_key.split("(")[0]  # remove peer suffixes
        if base.startswith("@"):
            m = re.match(r"^(@[^/]+/[^@]+)@", base)
        else:
            m = re.match(r"^([^@]+)@", base)
        if m:
            requires_build.add(m.group(1))

missing = sorted(requires_build - allow)
stale = sorted(allow - requires_build)

print(f"Lockfile: {lock_path}")
print(f"requiresBuild packages: {len(requires_build)}")
print(f"allowlist packages: {len(allow)}")

print("\nMissing from pnpm.onlyBuiltDependencies:")
for name in missing:
    print(f"  - {name}")

print("\nPresent in pnpm.onlyBuiltDependencies but not lockfile requiresBuild:")
for name in stale:
    print(f"  - {name}")

# Fail only on missing entries; stale entries can be cleaned up separately.
if missing:
    sys.exit(2)
PY

Repository: proofsh/proofkit

Length of output: 398

---

🏁 Script executed:

fd -HI '^pnpm-lock\.yaml$' -exec wc -l {} \;

Repository: proofsh/proofkit

Length of output: 246

---

🏁 Script executed:

fd -HI '^pnpm-lock\.yaml$' -exec head -100 {} \;

Repository: proofsh/proofkit

Length of output: 248

---

🏁 Script executed:

rg 'requiresBuild:\s*true' pnpm-lock.yaml -A 2 -B 2 | head -50

Repository: proofsh/proofkit

Length of output: 42

---

🏁 Script executed:

ls -lah pnpm-lock.yaml

Repository: proofsh/proofkit

Length of output: 123

---

🏁 Script executed:

head -200 pnpm-lock.yaml

Repository: proofsh/proofkit

Length of output: 7770

---

🏁 Script executed:

rg 'prisma|sharp|esbuild|better-sqlite3' pnpm-lock.yaml | head -20

Repository: proofsh/proofkit

Length of output: 1145

---

🏁 Script executed:

cat -n package.json | sed -n '1,100p'

Repository: proofsh/proofkit

Length of output: 2703

---

🏁 Script executed:

rg '@parcel/watcher|@prisma/client|@prisma/engines|better-sqlite3|es5-ext|esbuild|msgpackr-extract|msw|prisma|sharp' package.json

Repository: proofsh/proofkit

Length of output: 260

---

🏁 Script executed:

rg 'prisma|esbuild|sharp|better-sqlite3|msgpackr|@parcel/watcher|msw|es5-ext|@prisma' packages/ apps/ --type json -l | head -10

Repository: proofsh/proofkit

Length of output: 115

---

🏁 Script executed:

grep -r "prisma\|esbuild\|sharp" packages/*/package.json apps/*/package.json 2>/dev/null | head -20

Repository: proofsh/proofkit

Length of output: 567

---

Review allowlist for accuracy before adding CI checks (Lines 61-72).

The onlyBuiltDependencies allowlist includes 10 packages, but only prisma-related packages appear as direct dependencies in subpackages. Packages like sharp, esbuild, better-sqlite3, @parcel/watcher, and others are not found in any package.json. Additionally, the lockfile contains zero requiresBuild entries, meaning a CI check comparing the allowlist to lockfile markers would report all 10 entries as extraneous.

Before implementing the suggested verification script, audit the allowlist to confirm which packages actually require builds and should remain in the configuration.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 61 - 72, The onlyBuiltDependencies allowlist
contains packages that aren't present or marked as requiring builds in our repo
(see onlyBuiltDependencies array), so audit and shrink this list: inspect the
monorepo package.json files and the lockfile to find packages with
requiresBuild/hasNativeBuild flags (or that are direct dev/prod dependencies),
remove entries not referenced (e.g., sharp, esbuild, better-sqlite3,
`@parcel/watcher`, msgpackr-extract, msw, es5-ext unless you confirm they truly
require a build), and keep only genuine build-dependent packages (likely the
`@prisma/`* entries if confirmed). After updating the onlyBuiltDependencies array,
run the verification script/CI locally against the lockfile to ensure no false
positives and commit the cleaned list.