chore(tooling): add Prettier to lint

[tataihono]

Summary

Add Prettier to lint with config: no semicolons, 2-space indent. Integrates via eslint-plugin-prettier so pnpm lint runs Prettier checks.

Contracts Changed

• yes
• no

Regeneration Required

• yes
• no

Validation

• Contracts validated
• Generated code verified (no manual edits)
• Tests and build passed
• Terraform plan reviewed (if infra change)

Resolves #33

Summary by CodeRabbit

Release Notes

• New Features

  • Added Prettier and ESLint configuration for consistent code formatting across the project.
  • Enhanced security with input validation and path traversal protection in prompt loading.

• Documentation

  • Updated Forge workflow documentation to include agent naming conventions.

• Chores

  • Integrated Prettier formatter into development tooling and build scripts.
  • Applied consistent code formatting standards (quotes, spacing, punctuation) throughout the codebase.

[coderabbitai]

Walkthrough

Adds Prettier code formatter to the monorepo with configuration files, ESLint integration, and applies formatting rules (no semicolons, 2-space indentation) across the codebase. Updates workflow documentation to include agent naming step.

Changes

Cohort / File(s)	Summary
Prettier Configuration .prettierrc, .prettierignore	New Prettier config with no semicolons, 2-space tabs, and ignore paths for node_modules, dist, build, .next, .turbo, and other standard directories.
ESLint & Prettier Integration eslint.config.mjs, apps/web/eslint.config.mjs, package.json	Adds eslint-plugin-prettier and eslint-config-prettier dependencies; integrates Prettier into ESLint config; replaces Turbo-based format script with direct Prettier invocation.
Workflow Documentation .cursor/skills/forge-workflow/SKILL.md, AGENTS.md	Adds agent naming checklist item and renumbers workflow steps to include explicit naming rule with format {number}-{slug}.
AI Orchestrator Security & Validation apps/ai-orchestrator/src/prompts/registry.mjs, apps/ai-orchestrator/src/policy/guardrails.mjs	Introduces path-traversal safety check and input validation using realpath resolution in registry.mjs; removes trailing punctuation from error messages in guardrails.mjs.
Root & Build Configuration commitlint.config.js, SECURITY.md	Updates quote style and formatting; reformats version table alignment without semantic changes.
AI Orchestrator Services apps/ai-orchestrator/src/provenance/store.mjs, apps/ai-orchestrator/src/providers/*, apps/ai-orchestrator/src/rag/vector-store.mjs, apps/ai-orchestrator/src/server.mjs, apps/ai-orchestrator/src/strapi/gateway.mjs	Formatting-only changes: semicolon removal, trailing comma adjustments, multi-line reformatting without logic or control-flow modifications.
CMS App Configuration apps/cms/config/*, apps/cms/src/admin/*, apps/cms/src/index.ts, apps/cms/package.json	Consistent formatting updates: switch to double quotes, remove trailing semicolons, adjust indentation and line breaks across all config files and source files.
Web App Configuration & Components apps/web/next.config.mjs, apps/web/postcss.config.mjs, apps/web/tsconfig.json, apps/web/src/app/*, apps/web/src/lib/content.ts	Formatting adjustments: semicolon removal, quote standardization, multi-line reformatting for routes and components without behavioral changes.
Packages & Tooling Scripts packages/content-models/src/index.ts, packages/contracts/scripts/validate-contracts.mjs, packages/tooling/codegen/generate-clients.mjs, packages/tooling/codegen/verify-generated.mjs	Semicolon removal and whitespace normalization across type definitions and build scripts; no functional logic changes.
Documentation & Prompts packages/ai-config/prompts/content-draft.v1.md	Minor blank line addition after section header.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(tooling): add forge-workflow skill for agents #15: Directly modifies the same AGENTS.md workflow steps and introduces agent naming requirements that this PR extends with checklist documentation.
• feat(cms): bootstrap Strapi v5 with config and scripts #26: Updates the same CMS app configuration files (admin.ts, database.ts, plugins.ts, etc.) that this PR applies formatting changes to.
• chore(tooling): repo-wide lint rollout #18: Modifies the root ESLint configuration that this PR extends with Prettier integration.

🚥 Pre-merge checks | ✅ 3 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR includes out-of-scope security changes: path traversal validation in registry.mjs and agent naming documentation in SKILL.md, which are unrelated to Prettier integration objectives.	Remove security fixes and agent naming changes; address those in separate pull requests to keep this PR focused on Prettier integration only.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (42 files): ⚔️ .cursor/skills/forge-workflow/SKILL.md (content) ⚔️ AGENTS.md (content) ⚔️ SECURITY.md (content) ⚔️ apps/ai-orchestrator/src/policy/guardrails.mjs (content) ⚔️ apps/ai-orchestrator/src/prompts/registry.mjs (content) ⚔️ apps/ai-orchestrator/src/provenance/store.mjs (content) ⚔️ apps/ai-orchestrator/src/providers/anthropic.mjs (content) ⚔️ apps/ai-orchestrator/src/providers/base.mjs (content) ⚔️ apps/ai-orchestrator/src/providers/openai.mjs (content) ⚔️ apps/ai-orchestrator/src/rag/vector-store.mjs (content) ⚔️ apps/ai-orchestrator/src/server.mjs (content) ⚔️ apps/ai-orchestrator/src/strapi/gateway.mjs (content) ⚔️ apps/cms/.env.example (content) ⚔️ apps/cms/README.md (content) ⚔️ apps/cms/config/admin.ts (content) ⚔️ apps/cms/config/api.ts (content) ⚔️ apps/cms/config/database.ts (content) ⚔️ apps/cms/config/middlewares.ts (content) ⚔️ apps/cms/config/plugins.ts (content) ⚔️ apps/cms/config/server.ts (content) ⚔️ apps/cms/package.json (content) ⚔️ apps/cms/src/admin/app.tsx (content) ⚔️ apps/cms/src/admin/vite.config.ts (content) ⚔️ apps/cms/src/index.ts (content) ⚔️ apps/web/eslint.config.mjs (content) ⚔️ apps/web/next.config.mjs (content) ⚔️ apps/web/postcss.config.mjs (content) ⚔️ apps/web/src/app/api/preview/route.ts (content) ⚔️ apps/web/src/app/api/revalidate/route.ts (content) ⚔️ apps/web/src/app/layout.tsx (content) ⚔️ apps/web/src/app/page.tsx (content) ⚔️ apps/web/src/lib/content.ts (content) ⚔️ apps/web/tsconfig.json (content) ⚔️ commitlint.config.js (content) ⚔️ eslint.config.mjs (content) ⚔️ package.json (content) ⚔️ packages/ai-config/prompts/content-draft.v1.md (content) ⚔️ packages/content-models/src/index.ts (content) ⚔️ packages/contracts/scripts/validate-contracts.mjs (content) ⚔️ packages/tooling/codegen/generate-clients.mjs (content) ⚔️ packages/tooling/codegen/verify-generated.mjs (content) ⚔️ pnpm-lock.yaml (content) These conflicts must be resolved before merging into main.	Resolve conflicts locally and push changes to this branch.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(tooling): add Prettier to lint' accurately reflects the main objective of the PR: integrating Prettier into the linting workflow.
Linked Issues check	✅ Passed	The PR addresses all requirements from issue #33: adds root .prettierrc with proper config, integrates eslint-plugin-prettier and eslint-config-prettier, implements format script, and applies formatting across the codebase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/33-prettier

⚔️ Resolve merge conflicts (beta)

• Auto-commit resolved conflicts to branch chore/33-prettier
• Create stacked PR with resolved conflicts
• Post resolved changes as copyable diffs in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tataihono]

Review feedback addressed (33bb766)

Fixed:

• CodeQL "Uncontrolled data used in path expression" in registry.mjs: Added validation for id and version params with regex ^[a-zA-Z0-9._-]+$ before using in path, preventing path traversal.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

package.json (1)

14-14: format script bypasses Turbo — intentional?

The previous format script used turbo run format (leveraging Turbo's caching and workspace-aware execution), while the new script runs prettier --write . directly at the root. This is a reasonable approach for a repo-wide formatter, but it means pnpm format won't benefit from Turbo's caching. Just confirming this is intentional.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 14, The root package.json "format" script currently
runs "prettier --write ." which bypasses Turbo caching; if that was not
intentional, change the "format" script back to delegate to Turbo (use "turbo
run format") so pnpm format benefits from Turbo's workspace-aware caching,
otherwise explicitly document/rename the script (e.g., keep "format" for a true
repo-wide Prettier pass and add a "format:turbo" or restore "turbo run format")
so intent is clear; update the "format" script entry in package.json accordingly
and ensure each workspace package still exposes its own "format" task consumed
by Turbo.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/ai-orchestrator/src/prompts/registry.mjs`:
- Line 4: PROMPTS_ROOT is currently set with resolve(...) which doesn't follow
symlinks, breaking the later boundary check that uses realpathSync and
startsWith; change the PROMPTS_ROOT initialization to use
realpathSync(resolve(process.cwd(), "../../packages/ai-config/prompts")) so both
PROMPTS_ROOT and the resolved file paths use realpathSync and symlinks are
normalized before the startsWith check in the registry logic.

In `@apps/web/src/app/api/preview/route.ts`:
- Line 7: The redirect query handling is vulnerable to open-redirects: validate
and constrain the redirect before using new URL(redirect, url.origin). Ensure
the value in the redirect variable is an absolute-path-only string
(startsWith("/") and does not contain "//" after the leading slash), and if it
fails validation replace it with a safe default (e.g., "/"); update the code
paths that call new URL(redirect, url.origin) to use this validated/sanitized
redirect (you can extract the logic into a helper like isSafeRedirect or
sanitizeRedirect and reference the redirect variable and the new URL(...)
usage).

---

Nitpick comments:
In `@package.json`:
- Line 14: The root package.json "format" script currently runs "prettier
--write ." which bypasses Turbo caching; if that was not intentional, change the
"format" script back to delegate to Turbo (use "turbo run format") so pnpm
format benefits from Turbo's workspace-aware caching, otherwise explicitly
document/rename the script (e.g., keep "format" for a true repo-wide Prettier
pass and add a "format:turbo" or restore "turbo run format") so intent is clear;
update the "format" script entry in package.json accordingly and ensure each
workspace package still exposes its own "format" task consumed by Turbo.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

PROMPTS_ROOT should also be resolved via realpathSync for the boundary check to work correctly.

resolve() does not follow symlinks, but realpathSync(filePath) on Line 13 does. If any path component in ../../packages/ai-config/prompts is a symlink, the resolved file path will differ from PROMPTS_ROOT and the startsWith check on Line 14 will always reject valid prompts.

Proposed fix

-const PROMPTS_ROOT = resolve(process.cwd(), "../../packages/ai-config/prompts")
+const PROMPTS_ROOT = realpathSync(
+  resolve(process.cwd(), "../../packages/ai-config/prompts"),
+)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const PROMPTS_ROOT = resolve(process.cwd(), "../../packages/ai-config/prompts")
	const PROMPTS_ROOT = realpathSync(
	resolve(process.cwd(), "../../packages/ai-config/prompts"),
	)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/ai-orchestrator/src/prompts/registry.mjs` at line 4, PROMPTS_ROOT is
currently set with resolve(...) which doesn't follow symlinks, breaking the
later boundary check that uses realpathSync and startsWith; change the
PROMPTS_ROOT initialization to use realpathSync(resolve(process.cwd(),
"../../packages/ai-config/prompts")) so both PROMPTS_ROOT and the resolved file
paths use realpathSync and symlinks are normalized before the startsWith check
in the registry logic.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Pre-existing open redirect risk via the redirect query parameter.

new URL(redirect, url.origin) does not constrain redirect to a relative path — an absolute URL (e.g. https://evil.com) bypasses the origin base entirely, allowing an authenticated attacker to craft a preview link that redirects to an arbitrary domain. Consider validating that redirect starts with / and doesn't contain //.

🛡️ Suggested mitigation

   const redirect = url.searchParams.get("redirect") ?? "/"
+  if (!redirect.startsWith("/") || redirect.startsWith("//")) {
+    return NextResponse.json({ error: "invalid_redirect" }, { status: 400 })
+  }

Also applies to: 21-21

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/src/app/api/preview/route.ts` at line 7, The redirect query handling
is vulnerable to open-redirects: validate and constrain the redirect before
using new URL(redirect, url.origin). Ensure the value in the redirect variable
is an absolute-path-only string (startsWith("/") and does not contain "//" after
the leading slash), and if it fails validation replace it with a safe default
(e.g., "/"); update the code paths that call new URL(redirect, url.origin) to
use this validated/sanitized redirect (you can extract the logic into a helper
like isSafeRedirect or sanitizeRedirect and reference the redirect variable and
the new URL(...) usage).