Enable expanded Biome lint rules

[rtbenfield]

Enables the expanded Biome rule set for the CLI repo and brings the current codebase into compliance so future changes are checked consistently.

Changes

• Biome configuration: Enables the previously commented complexity, nursery, performance, style, and suspicious rules in biome.jsonc, and removes the stale commented rule block once all rules are active.
• Lint compliance: Applies the required formatter/linter cleanup across CLI, compute, scripts, examples, and tests. The largest behavioral-preserving refactors split high-complexity functions in app deployment, branch database setup, project resolution, command rendering, and help rendering.
• Intentional suppressions: Adds rationale-backed suppressions where the new rules conflict with deliberate existing patterns, mainly sequential pagination/polling loops, public package entrypoint re-exports, inline regex readability, and compact existing presentation expressions.
• Entrypoint and tests: Replaces floating promise chains in the CLI entrypoint with top-level await, converts disposable guard tests to using, and updates test assertions/mocks to satisfy the stricter rules.

Why

The rules are enabled one at a time with isolated commits so reviewers can inspect each category independently. Some rules are intentionally suppressed for existing code where the lint recommendation would require a broader semantic audit, especially noAwaitInLoops and useTopLevelRegex; this keeps the PR focused on establishing the guardrails without changing concurrency, polling, or parsing behavior opportunistically.

Verification

• pnpm run lint
• pnpm --filter @prisma/compute test
• pnpm --filter @prisma/compute build
• pnpm --filter @prisma/cli build
• pnpm --filter @prisma/cli exec vitest run tests/app-env-vars.test.ts tests/project-real-mode.test.ts
• pnpm --filter @prisma/cli exec vitest run tests/update-check.test.ts

Full pnpm --filter @prisma/cli test was also attempted and still fails on existing constructor-mock issues where mocked classes are arrow functions used with new; those failures are unrelated to this lint-rule enablement.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: aa5b3c3b-c45c-465b-9a4e-4c846868cef1

📥 Commits

Reviewing files that changed from the base of the PR and between 91c4f3f and efea28e.

📒 Files selected for processing (7)

• packages/cli/src/controllers/app.ts
• packages/cli/src/lib/app/branch-database.ts
• packages/cli/tests/helpers.ts
• packages/cli/tests/project-real-mode.test.ts
• packages/compute/tests/scale-to-zero.test.ts
• scripts/prepare-cli-publish.d.mts
• scripts/resolve-cli-version.d.mts

---

Summary by CodeRabbit

• Chores

  • Updated Node.js minimum to 22.12.0 and added Biome (format/lint) with new scripts.
  • Added a PR Quality GitHub Actions workflow (typecheck, lint, test) and documentation recommending pinning actions to commit SHAs.
  • Broad formatting and structural cleanups across the codebase.

• Bug Fixes

  • Improved masking/redaction of sensitive values (emails and URL credentials).
  • Slimmed serialization for database-connection removal to return a focused result.

Walkthrough

The PR adds a PR quality workflow, pins the Node version, adds Biome configuration and package scripts, and updates workflow guidance. It refactors many CLI commands, controllers, libraries, presenters, and shell modules, with a few targeted behavior changes such as top-level await in the entrypoint, login paste-callback helper extraction, database connection removal serialization, masking updates, preview-build symlink materialization, auth workspace lookup wiring, and test helper default cwd handling. It also updates and extends tests across app deploy, preview build, env handling, auth, database, project, output, and command runner paths.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/biome

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch chore/biome

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

packages/cli/src/lib/project/resolution.ts (2)

255-265: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Don't hardcode app deploy in ambiguous-project recovery.

projectResolutionErrorToCliError() is also used by project show, git connect, and git disconnect in packages/cli/src/controllers/project.ts, so this helper can surface PROJECT_AMBIGUOUS outside deploy flows. Suggesting prisma-cli app deploy --project ... here sends users to the wrong command. Either parameterize the retry step with the originating command or keep this helper command-agnostic.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cli/src/lib/project/resolution.ts` around lines 255 - 265, The
helper projectAmbiguousCliError currently hardcodes a retry suggestion with
"prisma-cli app deploy --project ..." which is incorrect for callers like
project show, git connect, and git disconnect; modify projectAmbiguousCliError
to either accept an optional originatingCommand string parameter (e.g.,
originatingCommand?: string) and use it to build the nextSteps entry
(`${originatingCommand} --project ${firstMatch.id}`) or remove the specific
subcommand and instead push a command-agnostic hint such as `prisma-cli
--project ${firstMatch.id}` or `prisma-cli <command> --project ${firstMatch.id}`
so the suggestion is correct for all callers (update all call sites of
projectAmbiguousCliError accordingly to pass the originating command when
available).

---

524-539: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Don't treat arbitrary directory names as valid project-create defaults.

The package-name path is validated, but the directory fallback returns path.basename(cwd) verbatim. In directories like my app, downstream helpers build prisma-cli project create 'my app', which then fails the CLI's own project-name validation. Only surface a suggested name/create command when the basename passes the same validity check, or sanitize/omit the suggestion first.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cli/src/lib/project/resolution.ts` around lines 524 - 539, The
fallback that returns path.basename(cwd) verbatim can produce invalid project
names (e.g., "my app"); update inferTargetName to only return a
directory-derived suggestion when it passes isValidInferredTargetName or can be
deterministically sanitized into a valid name: get dirName = path.basename(cwd),
if isValidInferredTargetName(dirName) return it (source "directory-name");
otherwise produce a sanitized candidate (e.g., normalize whitespace to hyphens
and strip invalid chars), validate it with isValidInferredTargetName and if
valid return that with source "directory-name-sanitized"; if neither original
nor sanitized pass validation, do not surface a usable suggestion (e.g., return
a null/empty/none name or a source indicating no suggestion) so downstream
callers like project-create are not given an invalid name. Ensure this logic
sits in inferTargetName and relies on readPackageName/isValidInferredTargetName
for consistency.

packages/cli/src/lib/app/bun-project.ts (1)

21-31: ⚠️ Potential issue | 🟡 Minor

Keep abort handling consistent for filesystem operations.

• readBunPackageJson (packages/cli/src/lib/app/bun-project.ts) wraps aborted reads in a generic Failed to read ... error instead of rethrowing the original abort error.
• LocalStateStore.write (packages/cli/src/adapters/local-state.ts) calls writeFile without passing this.signal, so cancellation during the write isn’t propagated.

🔧 Proposed fixes

--- a/packages/cli/src/lib/app/bun-project.ts
+++ b/packages/cli/src/lib/app/bun-project.ts
@@
   } catch (error) {
+    if (signal?.aborted) throw error;
     if ((error as NodeJS.ErrnoException).code === "ENOENT") {
       return null;
     }

--- a/packages/cli/src/adapters/local-state.ts
+++ b/packages/cli/src/adapters/local-state.ts
@@
     await writeFile(this.stateFilePath, `${JSON.stringify(state, null, 2)}\n`, {
       encoding: "utf8",
+      signal: this.signal,
     });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cli/src/lib/app/bun-project.ts` around lines 21 - 31,
readBunPackageJson currently converts aborts into a generic "Failed to read..."
error and LocalStateStore.write doesn't pass the instance signal into writeFile;
update readBunPackageJson's catch to rethrow the original abort error when the
read was cancelled (e.g. check error.name === "AbortError" or signal.aborted and
rethrow) instead of wrapping it, and update LocalStateStore.write to pass
this.signal into the writeFile options so cancellation is propagated (locate
readBunPackageJson in packages/cli/src/lib/app/bun-project.ts and
LocalStateStore.write in packages/cli/src/adapters/local-state.ts).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pr-quality.yml:
- Around line 22-23: The checkout steps currently use actions/checkout without
disabling persisted credentials; update each Checkout step (the steps with
"name: Checkout" and "uses: actions/checkout@...") to add the input
persist-credentials: false so the default token is not written into git config;
do this for all three occurrences (the existing Checkout steps at the start and
the other two occurrences referenced in the comment) by adding a
persist-credentials: false key under each checkout step.

In `@examples/next-smoke/app/globals.css`:
- Line 43: The font-family list containing "SFMono-Regular", ui-monospace,
"Cascadia Mono", "Segoe UI Mono", Menlo, should be updated to remove the
surrounding quotes for SFMono-Regular; find the font-family declaration that
includes "SFMono-Regular" and replace "SFMono-Regular" with SFMono-Regular so
the family name is unquoted and Stylelint stops flagging it.

In `@package.json`:
- Around line 11-12: The package.json scripts currently have "lint": "biome
check . --write" which mutates the workspace; change "lint" to a read-only
verification ("biome check ." or similar without --write) and add a separate
script like "lint:fix" (or "format") that runs "biome check . --write" (or
"biome format . --write") so CI can run yarn/pnpm run lint as a non-mutating
check while developers can run lint:fix to auto-apply fixes; update the scripts
entries "lint" and add "lint:fix"/"format" accordingly.

In `@packages/cli/src/controllers/project.ts`:
- Line 1: Remove the file-level directive "biome-ignore-all
lint/performance/noAwaitInLoops" and instead add a scoped biome-ignore comment
around only the sequential-await loop blocks used for GitHub App install polling
and repository pagination (the for/while/do-while loops that perform install
polling and paginated repo lookups in this controller); locate the loops that
perform the install polling and repository pagination in
packages/cli/src/controllers/project.ts and place a single-line "biome-ignore
lint/performance/noAwaitInLoops" immediately above each loop block so other
await-in-loop occurrences in this file remain linted.

In `@packages/cli/src/presenters/database.ts`:
- Around line 327-331: The serializer serializeDatabaseConnectionRemove
currently returns the raw DatabaseConnectionRemoveResult and can leak
verboseContext; update it to return stripVerboseContext(result) instead so the
output matches other database serializers and removes internal verboseContext
before emitting JSON (use the existing stripVerboseContext helper and keep the
function signature serializeDatabaseConnectionRemove(result:
DatabaseConnectionRemoveResult)).

In `@packages/cli/src/shell/ui.ts`:
- Around line 253-263: The isEmailLocalPartChar helper currently only allows
A-Z, a-z, 0-9 and the punctuation . _ % + - which causes characters like
apostrophe (') and ampersand (&) to be treated as delimiters and leak local-part
data; update isEmailLocalPartChar to include additional valid RFC-local-part
characters such as ' and & (and any other minimal set you deem safe for our use)
so maskValue will treat them as part of the local-part, then add unit tests
covering at least an apostrophe case (e.g., "o'hara@example.com") and an
ampersand case (e.g., "billing&alerts@example.com") to assert full masking
behavior.

---

Outside diff comments:
In `@packages/cli/src/lib/app/bun-project.ts`:
- Around line 21-31: readBunPackageJson currently converts aborts into a generic
"Failed to read..." error and LocalStateStore.write doesn't pass the instance
signal into writeFile; update readBunPackageJson's catch to rethrow the original
abort error when the read was cancelled (e.g. check error.name === "AbortError"
or signal.aborted and rethrow) instead of wrapping it, and update
LocalStateStore.write to pass this.signal into the writeFile options so
cancellation is propagated (locate readBunPackageJson in
packages/cli/src/lib/app/bun-project.ts and LocalStateStore.write in
packages/cli/src/adapters/local-state.ts).

In `@packages/cli/src/lib/project/resolution.ts`:
- Around line 255-265: The helper projectAmbiguousCliError currently hardcodes a
retry suggestion with "prisma-cli app deploy --project ..." which is incorrect
for callers like project show, git connect, and git disconnect; modify
projectAmbiguousCliError to either accept an optional originatingCommand string
parameter (e.g., originatingCommand?: string) and use it to build the nextSteps
entry (`${originatingCommand} --project ${firstMatch.id}`) or remove the
specific subcommand and instead push a command-agnostic hint such as `prisma-cli
--project ${firstMatch.id}` or `prisma-cli <command> --project ${firstMatch.id}`
so the suggestion is correct for all callers (update all call sites of
projectAmbiguousCliError accordingly to pass the originating command when
available).
- Around line 524-539: The fallback that returns path.basename(cwd) verbatim can
produce invalid project names (e.g., "my app"); update inferTargetName to only
return a directory-derived suggestion when it passes isValidInferredTargetName
or can be deterministically sanitized into a valid name: get dirName =
path.basename(cwd), if isValidInferredTargetName(dirName) return it (source
"directory-name"); otherwise produce a sanitized candidate (e.g., normalize
whitespace to hyphens and strip invalid chars), validate it with
isValidInferredTargetName and if valid return that with source
"directory-name-sanitized"; if neither original nor sanitized pass validation,
do not surface a usable suggestion (e.g., return a null/empty/none name or a
source indicating no suggestion) so downstream callers like project-create are
not given an invalid name. Ensure this logic sits in inferTargetName and relies
on readPackageName/isValidInferredTargetName for consistency.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: efac4d70-d28c-446d-8327-9c7cf9d63bf1

📥 Commits

Reviewing files that changed from the base of the PR and between 683504d and 2bd3a59.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (136)

• .github/workflows/AGENTS.md
• .github/workflows/pr-quality.yml
• .node-version
• biome.jsonc
• examples/next-smoke/app/globals.css
• examples/next-smoke/app/page.tsx
• examples/next-smoke/tsconfig.json
• package.json
• packages/cli/src/adapters/git.ts
• packages/cli/src/adapters/local-state.ts
• packages/cli/src/adapters/mock-api.ts
• packages/cli/src/adapters/token-storage.ts
• packages/cli/src/bin.ts
• packages/cli/src/cli.ts
• packages/cli/src/commands/app/index.ts
• packages/cli/src/commands/auth/index.ts
• packages/cli/src/commands/branch/index.ts
• packages/cli/src/commands/database/index.ts
• packages/cli/src/commands/env.ts
• packages/cli/src/commands/git/index.ts
• packages/cli/src/commands/project/index.ts
• packages/cli/src/commands/version/index.ts
• packages/cli/src/controllers/app-env-api.ts
• packages/cli/src/controllers/app-env-file.ts
• packages/cli/src/controllers/app-env.ts
• packages/cli/src/controllers/app.ts
• packages/cli/src/controllers/auth.ts
• packages/cli/src/controllers/branch.ts
• packages/cli/src/controllers/database.ts
• packages/cli/src/controllers/project.ts
• packages/cli/src/controllers/select-prompt-port.ts
• packages/cli/src/controllers/version.ts
• packages/cli/src/lib/app/branch-database-deploy.ts
• packages/cli/src/lib/app/branch-database.ts
• packages/cli/src/lib/app/bun-project.ts
• packages/cli/src/lib/app/deploy-output.ts
• packages/cli/src/lib/app/domain-guidance.ts
• packages/cli/src/lib/app/env-config.ts
• packages/cli/src/lib/app/env-file.ts
• packages/cli/src/lib/app/env-vars.ts
• packages/cli/src/lib/app/local-dev.ts
• packages/cli/src/lib/app/preview-branch-database.ts
• packages/cli/src/lib/app/preview-build-settings.ts
• packages/cli/src/lib/app/preview-build.ts
• packages/cli/src/lib/app/preview-interaction.ts
• packages/cli/src/lib/app/preview-progress.ts
• packages/cli/src/lib/app/preview-provider.ts
• packages/cli/src/lib/app/production-deploy-gate.ts
• packages/cli/src/lib/auth/auth-ops.ts
• packages/cli/src/lib/auth/client.ts
• packages/cli/src/lib/auth/login.ts
• packages/cli/src/lib/database/provider.ts
• packages/cli/src/lib/diagnostics.ts
• packages/cli/src/lib/git/local-branch.ts
• packages/cli/src/lib/git/local-status.ts
• packages/cli/src/lib/project/interactive-setup.ts
• packages/cli/src/lib/project/local-pin.ts
• packages/cli/src/lib/project/resolution.ts
• packages/cli/src/lib/project/setup.ts
• packages/cli/src/lib/version.ts
• packages/cli/src/output/patterns.ts
• packages/cli/src/presenters/app-env.ts
• packages/cli/src/presenters/app.ts
• packages/cli/src/presenters/auth.ts
• packages/cli/src/presenters/branch.ts
• packages/cli/src/presenters/database.ts
• packages/cli/src/presenters/project.ts
• packages/cli/src/presenters/verbose-context.ts
• packages/cli/src/presenters/version.ts
• packages/cli/src/shell/command-arguments.ts
• packages/cli/src/shell/command-meta.ts
• packages/cli/src/shell/command-runner.ts
• packages/cli/src/shell/diagnostics-output.ts
• packages/cli/src/shell/errors.ts
• packages/cli/src/shell/global-flags.ts
• packages/cli/src/shell/help.ts
• packages/cli/src/shell/next-actions.ts
• packages/cli/src/shell/output.ts
• packages/cli/src/shell/prompt.ts
• packages/cli/src/shell/runtime.ts
• packages/cli/src/shell/ui.ts
• packages/cli/src/shell/update-check.ts
• packages/cli/src/types/app.ts
• packages/cli/src/types/project.ts
• packages/cli/src/use-cases/auth.ts
• packages/cli/src/use-cases/branch.ts
• packages/cli/src/use-cases/contracts.ts
• packages/cli/src/use-cases/create-cli-gateways.ts
• packages/cli/src/use-cases/project.ts
• packages/cli/tests/app-branch-database.test.ts
• packages/cli/tests/app-build.test.ts
• packages/cli/tests/app-bun-compat.test.ts
• packages/cli/tests/app-controller.test.ts
• packages/cli/tests/app-env-presenter.test.ts
• packages/cli/tests/app-env-vars.test.ts
• packages/cli/tests/app-env.test.ts
• packages/cli/tests/app-local-dev.test.ts
• packages/cli/tests/app-presenter.test.ts
• packages/cli/tests/app-provider.test.ts
• packages/cli/tests/app-state.test.ts
• packages/cli/tests/app.test.ts
• packages/cli/tests/auth-login.test.ts
• packages/cli/tests/auth-ops.test.ts
• packages/cli/tests/auth-real-mode.test.ts
• packages/cli/tests/auth.test.ts
• packages/cli/tests/branch-controller.test.ts
• packages/cli/tests/branch.test.ts
• packages/cli/tests/command-runner-auth.test.ts
• packages/cli/tests/command-runner.test.ts
• packages/cli/tests/database.test.ts
• packages/cli/tests/git-adapter.test.ts
• packages/cli/tests/helpers.ts
• packages/cli/tests/helpers/mock-factories.ts
• packages/cli/tests/output.test.ts
• packages/cli/tests/production-deploy-gate.test.ts
• packages/cli/tests/project-controller.test.ts
• packages/cli/tests/project-real-mode.test.ts
• packages/cli/tests/project-resolution.test.ts
• packages/cli/tests/project.test.ts
• packages/cli/tests/prompt.test.ts
• packages/cli/tests/publish-prep.test.ts
• packages/cli/tests/resolve-cli-version.test.ts
• packages/cli/tests/shell.test.ts
• packages/cli/tests/token-storage.test.ts
• packages/cli/tests/update-check.test.ts
• packages/cli/tests/use-case-helpers.ts
• packages/cli/tests/version.test.ts
• packages/compute/src/index.ts
• packages/compute/src/scale-to-zero-control.ts
• packages/compute/src/scale-to-zero.ts
• packages/compute/tests/scale-to-zero.test.ts
• scripts/prepare-cli-publish.mjs
• scripts/resolve-cli-version.mjs
• scripts/smoke-cli-nextjs-artifact.mjs
• scripts/validate-skills.mjs
• scripts/validate-skills.test.mjs

[coderabbitai]

♻️ Duplicate comments (1)

packages/cli/src/presenters/database.ts (1)

327-330: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Preserve the remove-result JSON shape here.

Returning only { connection } turns this serializer into a breaking payload reshaper instead of the same verboseContext stripping used by the neighboring database serializers. Any consumer expecting the rest of DatabaseConnectionRemoveResult will lose fields in --json output.

♻️ Proposed fix

 export function serializeDatabaseConnectionRemove(
   result: DatabaseConnectionRemoveResult,
 ) {
-  return { connection: result.connection };
+  return stripVerboseContext(result);
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cli/src/presenters/database.ts` around lines 327 - 330, The
serializer serializeDatabaseConnectionRemove currently returns only `{
connection }`, which reshapes the JSON output and drops fields from
DatabaseConnectionRemoveResult; change it to preserve the original result shape
by returning the whole result (or applying the same verboseContext helper used
by the neighboring serializers) — e.g. return the full
DatabaseConnectionRemoveResult (or `verboseContext(result)` if that helper is
used elsewhere) instead of just ` { connection: result.connection }`, keeping
the rest of the fields intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@packages/cli/src/presenters/database.ts`:
- Around line 327-330: The serializer serializeDatabaseConnectionRemove
currently returns only `{ connection }`, which reshapes the JSON output and
drops fields from DatabaseConnectionRemoveResult; change it to preserve the
original result shape by returning the whole result (or applying the same
verboseContext helper used by the neighboring serializers) — e.g. return the
full DatabaseConnectionRemoveResult (or `verboseContext(result)` if that helper
is used elsewhere) instead of just ` { connection: result.connection }`, keeping
the rest of the fields intact.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: da324ee4-6edf-4a1e-a94a-b681b3a26019

📥 Commits

Reviewing files that changed from the base of the PR and between 2bd3a59 and 91c4f3f.

📒 Files selected for processing (7)

• .github/workflows/pr-quality.yml
• examples/next-smoke/app/globals.css
• package.json
• packages/cli/src/controllers/project.ts
• packages/cli/src/presenters/database.ts
• packages/cli/src/shell/ui.ts
• packages/cli/tests/shell.test.ts