Audit finding from general-audit @ 0de7631 (2026-04-29)
Severity: low
Category: tech debt / CI gap
File: eslint.config.js, package.json, .github/workflows/ci.yml, .github/workflows/e2e.yml
Obvious fix: yes
Description
eslint.config.js (added by commit bd1f725) declares a no-restricted-syntax rule that errors on *.waitForTimeout(...) calls in e2e/**/*.ts. Existing six files received per-file eslint-disable headers (allowlist via #458); intent is for the rule to fail-fast on any new waitForTimeout calls.
Problem: nothing runs eslint.
- No
lint script in package.json (only deps installed).
- No
eslint invocation in .github/workflows/ci.yml or .github/workflows/e2e.yml.
- No
just recipe for it.
A contributor adding await page.waitForTimeout(N) to a fresh e2e/**/*.spec.ts file (no eslint-disable header) lands unflagged because the rule never executes during PR review. The migration spec at docs/specs/2026-04-27-event-based-waits-design.md is undefended.
Verify
grep -rn 'eslint\|"lint"\b' .github/ scripts/ justfile package.json | grep -v -E "node_modules|@eslint|@typescript-eslint"
# Only hit: package.json:26 — the dep declaration. No runner.
grep -n "lint" package.json
# Zero "scripts.lint" entry.
Suggested fix
Two parts:
-
Add an npm run lint script to package.json:
"scripts": { "lint": "eslint e2e/" }
-
Add an eslint step to .github/workflows/ci.yml (cheapest as a job in e2e.yml since deps are already installed there):
- name: Install npm deps
run: npm ci
- name: ESLint e2e
run: npm run lint
Distinct from #458
Issue #458 tracks migrating existing files off waitForTimeout. F2 tracks wiring the lint runner so that the ratchet-down is actually enforced. Both need to land for the migration plan to work as designed.
Sibling-of-closed pattern
bd1f725 ci(e2e): forbid new waitForTimeout calls; allowlist existing — commit subject says ci:, but only added an eslint config file and dependencies. The actual ci.yml / e2e.yml workflows were never edited to invoke eslint.
Audit finding from general-audit @
0de7631(2026-04-29)Severity: low
Category: tech debt / CI gap
File:
eslint.config.js,package.json,.github/workflows/ci.yml,.github/workflows/e2e.ymlObvious fix: yes
Description
eslint.config.js(added by commitbd1f725) declares ano-restricted-syntaxrule that errors on*.waitForTimeout(...)calls ine2e/**/*.ts. Existing six files received per-fileeslint-disableheaders (allowlist via#458); intent is for the rule to fail-fast on any newwaitForTimeoutcalls.Problem: nothing runs eslint.
lintscript inpackage.json(only deps installed).eslintinvocation in.github/workflows/ci.ymlor.github/workflows/e2e.yml.justrecipe for it.A contributor adding
await page.waitForTimeout(N)to a freshe2e/**/*.spec.tsfile (no eslint-disable header) lands unflagged because the rule never executes during PR review. The migration spec atdocs/specs/2026-04-27-event-based-waits-design.mdis undefended.Verify
Suggested fix
Two parts:
Add an
npm run lintscript topackage.json:Add an eslint step to
.github/workflows/ci.yml(cheapest as a job ine2e.ymlsince deps are already installed there):Distinct from #458
Issue #458 tracks migrating existing files off
waitForTimeout. F2 tracks wiring the lint runner so that the ratchet-down is actually enforced. Both need to land for the migration plan to work as designed.Sibling-of-closed pattern
bd1f725 ci(e2e): forbid new waitForTimeout calls; allowlist existing— commit subject saysci:, but only added an eslint config file and dependencies. The actualci.yml/e2e.ymlworkflows were never edited to invoke eslint.