chore(tooling): enforce honest coverage reporting

[cv]

Summary

Remove source-level V8 coverage ignore directives so CLI coverage reports include previously hidden orchestration code. Add repository checks to keep coverage directives out of source and convert Makefile targets into npm-script-backed compatibility shims.

Changes

• Removed v8 ignore directives from CLI action, domain, adapter, and command modules.
• Added scripts/checks/no-coverage-ignore.ts and scripts/checks/run.ts, and wired the generic repository checks into prek and npm run lint.
• Moved generic source checks under scripts/checks/ while keeping specialized lifecycle checks at their existing top-level scripts/check-* paths.
• Converted Makefile targets to thin wrappers around package scripts and added npm scripts for docs, formatting, and compatibility targets.
• Reset the CLI coverage ratchet to the honest no-ignore baseline in ci/coverage-threshold-cli.json.
• Stabilized NIM unified-memory GPU tests by mocking firmware model reads for non-Spark fixtures.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

• New Features

  • Added validation to prevent unintended coverage exclusions in source code.
  • Snapshot restore now reconciles applied policy presets with snapshot state.
  • Sandbox connections now synchronize inference route configuration.

• Bug Fixes

  • Improved active session detection for sandbox destruction confirmations.
  • Enhanced SSH process caching for better command dependency tracking.

• Refactor

  • Centralized build and check commands through npm scripts.
  • Updated coverage thresholds for CLI tests.
  • Removed internal coverage suppression directives from source files.

• Tests

  • Added test coverage for policy directive detection.
  • Improved test helper structure for platform-specific scenarios.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8000c189-bf44-417c-9b13-143186d814d4

📥 Commits

Reviewing files that changed from the base of the PR and between 803c4f4 and 38aebf5.

📒 Files selected for processing (11)

• src/lib/actions/sandbox/connect.ts
• src/lib/actions/sandbox/destroy.ts
• src/lib/actions/sandbox/doctor.ts
• src/lib/actions/sandbox/gateway-state.ts
• src/lib/actions/sandbox/policy-channel.ts
• src/lib/actions/sandbox/rebuild.ts
• src/lib/actions/sandbox/status.ts
• src/lib/actions/uninstall/run-plan.ts
• src/lib/inference/nim.test.ts
• src/lib/list-command-deps.ts
• src/lib/status-command-deps.ts

💤 Files with no reviewable changes (10)

• src/lib/actions/sandbox/rebuild.ts
• src/lib/status-command-deps.ts
• src/lib/actions/sandbox/doctor.ts
• src/lib/actions/sandbox/status.ts
• src/lib/actions/uninstall/run-plan.ts
• src/lib/list-command-deps.ts
• src/lib/actions/sandbox/connect.ts
• src/lib/actions/sandbox/destroy.ts
• src/lib/actions/sandbox/gateway-state.ts
• src/lib/actions/sandbox/policy-channel.ts

---

📝 Walkthrough

Walkthrough

This PR consolidates build/lint/check tooling from scattered command invocations into centralized npm scripts, introduces automated coverage-ignore directive enforcement, removes v8 ignore comments from source files, and implements sandbox gateway probing, policy/channel management, session detection, and snapshot state reconciliation.

Changes

Build Infrastructure Consolidation

Layer / File(s)	Summary
NPM Script Definitions package.json	Introduces check and checks scripts, updates lint/lint:fix to chain biome and checks, adds documentation builders via uv, removes obsolete clean/sourcemap scripts.
Makefile Delegation Makefile	All targets delegate to npm scripts instead of direct tool invocations (check, lint, lint-ts, format, docs, etc.).
Pre-commit Hooks .pre-commit-config.yaml	Adds repository-checks hook for npm checks; updates test-cli hook to inline dist removal.
Coverage Thresholds ci/coverage-threshold-cli.json	Increases Jest coverage minimums for lines, functions, branches, and statements.

Coverage Visibility Enforcement

Layer / File(s)	Summary
Check Runner Infrastructure scripts/checks/run.ts, scripts/checks/direct-credential-env.ts, scripts/checks/layer-import-boundaries.ts, scripts/check-coverage-ratchet.ts	Implements unified check runner and updates existing check scripts to report correct usage messages.
Coverage Ignore Directive Detection scripts/checks/no-coverage-ignore.ts	New check utility that scans sources for forbidden v8 ignore directives and exports violation types for testing.
Coverage Ignore Tests test/no-coverage-ignore.test.ts	Validates directive detection in line/block comments and string literal exclusion.
V8 Ignore Removal: Sandbox src/lib/actions/sandbox/*, src/lib/domain/sandbox/*	Removes v8 ignore directives from connect, destroy, doctor, gateway-state, logs, process-recovery, rebuild, skill-install, status and their domain modules.
V8 Ignore Removal: Uninstall src/lib/actions/uninstall/*, src/lib/domain/uninstall/*	Removes v8 ignore directives from uninstall modules.
V8 Ignore Removal: Other src/lib/domain/policy-channel.ts, src/lib/status-command-deps.ts	Removes v8 ignore directives from remaining modules.

Sandbox Gateway & Policy Management Features

Layer / File(s)	Summary
OpenShell Runtime Adapter src/lib/adapters/openshell/runtime.ts	Provides runtime wrappers for OpenShell CLI: binary resolution, command execution with configurable options, status probe timeout parsing, and version detection.
Sandbox Connect with Inference Sync src/lib/actions/sandbox/connect.ts	Augments connection flow to probe live inference config, compare with persisted provider/model, and conditionally synchronize routing.
Sandbox Destroy with Session Detection src/lib/actions/sandbox/destroy.ts	Detects active SSH sessions and augments confirmation prompt with termination warnings.
Snapshot Policy Reconciliation src/lib/actions/sandbox/snapshot.ts	Adds gateway running probe and implements policy preset reconciliation on restore via diff and apply/remove operations.
Policy & Messaging Channel Management src/lib/actions/sandbox/policy-channel.ts	Implements policy preset add/list/remove flows and channel lifecycle (add/remove/enable/disable) with immediate gateway and registry synchronization.

Command Dependencies & CLI Adapters

Layer / File(s)	Summary
List & Status Command Dependencies src/lib/list-command-deps.ts	Caches SSH process probe output to avoid re-running per-sandbox queries.
CLI Command Implementations src/lib/commands/gateway-token.ts, src/lib/commands/uninstall.ts, src/lib/recover-cli-command.ts, src/lib/sandbox-config-set-cli-command.ts	Updates command error handling and removes coverage suppression comments.

Test Infrastructure Updates

Layer / File(s)	Summary
Check Script References test/layer-import-boundaries.test.ts, test/no-direct-credential-env.test.ts	Updates test references to refactored check scripts in scripts/checks/ directory.
Firmware Model Test Helper src/lib/inference/nim.test.ts, test/preinstall-node-version.test.ts	Introduces shared firmware model mocking helper and minor test formatting updates.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 A rabbit hops through build commands bright,
npm scripts now shine with unified might,
Coverage checks enforce what's right,
While sandbox gateways sync their sight—
From policy presets to session-aware flight,
The warren's infrastructure takes flight! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'chore(tooling): enforce honest coverage reporting' clearly and concisely summarizes the main objective of removing V8 coverage ignore directives to enforce honest coverage metrics, which is the primary focus of this comprehensive refactoring.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/coverage-checks-and-script-shims

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

package.json (1)

28-28: ⚡ Quick win

Add --check flag to enforce format validation in CI.

The current format:check command runs in write mode (exits 0 even when formatting issues exist), so it won't fail CI builds when code doesn't match format expectations. The --check flag reports violations as failures (exit code 1), making it suitable for blocking non-compliant commits.

Suggested patch

-    "format:check": "npx `@biomejs/biome` format .",
+    "format:check": "npx `@biomejs/biome` format --check .",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 28, The "format:check" npm script currently runs Biome
in write/format mode and won't fail CI; update the "format:check" script entry
so it invokes Biome with the --check flag (i.e., run npx `@biomejs/biome` --check
.) so format violations return a non-zero exit code; modify the package.json
"format:check" script string accordingly (refer to the "format:check" script
name to locate the entry).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/checks/no-coverage-ignore.ts`:
- Around line 20-21: The current check uses FORBIDDEN_DIRECTIVE ("v8 ignore")
and flags any occurrence even inside string literals; update the scan so it only
matches actual comment tokens by detecting comment prefixes (// and /* ... */)
before searching for FORBIDDEN_DIRECTIVE. Modify the logic that reads lines (the
code referencing FORBIDDEN_DIRECTIVE) to first extract comment text (handle
single-line '//' and block '/*...*/') and then check that extracted comment
contains FORBIDDEN_DIRECTIVE, preserving existing reporting behavior when found.

In `@src/lib/commands/gateway-token.ts`:
- Around line 53-55: The stdout error handler currently uses
process.stdout.on("error", ...) and only exits on EPIPE, which suppresses
non-EPIPE errors and leaks listeners across repeated run() calls; change this to
add a one-time listener (use once instead of on) on process.stdout and for
non-EPIPE errors re-emit or propagate the error rather than silently swallowing
it (e.g., call process.emit('uncaughtException', err) or log and exit with
non-zero), and ensure any listener is removed after handling so repeated
invocations of the run/command do not accumulate listeners; key symbols to
modify: process.stdout.on("error", ...), the err.code === "EPIPE" branch, and
the process.exit(0) behavior.

---

Nitpick comments:
In `@package.json`:
- Line 28: The "format:check" npm script currently runs Biome in write/format
mode and won't fail CI; update the "format:check" script entry so it invokes
Biome with the --check flag (i.e., run npx `@biomejs/biome` --check .) so format
violations return a non-zero exit code; modify the package.json "format:check"
script string accordingly (refer to the "format:check" script name to locate the
entry).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d12d63ff-00d4-4676-829d-412f524bde92

📥 Commits

Reviewing files that changed from the base of the PR and between 0940e32 and 11bf26b.

📒 Files selected for processing (41)

• .pre-commit-config.yaml
• Makefile
• ci/coverage-threshold-cli.json
• package.json
• scripts/check-coverage-ratchet.ts
• scripts/checks/direct-credential-env.ts
• scripts/checks/layer-import-boundaries.ts
• scripts/checks/no-coverage-ignore.ts
• scripts/checks/run.ts
• src/lib/actions/maintenance.ts
• src/lib/actions/sandbox/connect.ts
• src/lib/actions/sandbox/destroy.ts
• src/lib/actions/sandbox/doctor.ts
• src/lib/actions/sandbox/gateway-state.ts
• src/lib/actions/sandbox/logs.ts
• src/lib/actions/sandbox/policy-channel.ts
• src/lib/actions/sandbox/process-recovery.ts
• src/lib/actions/sandbox/rebuild.ts
• src/lib/actions/sandbox/runtime.ts
• src/lib/actions/sandbox/skill-install.ts
• src/lib/actions/sandbox/snapshot.ts
• src/lib/actions/sandbox/status.ts
• src/lib/actions/uninstall-plan.ts
• src/lib/actions/uninstall-run-plan.ts
• src/lib/actions/upgrade-sandboxes.ts
• src/lib/adapters/openshell/runtime.ts
• src/lib/commands/gateway-token.ts
• src/lib/commands/uninstall.ts
• src/lib/domain/policy-channel.ts
• src/lib/domain/sandbox/destroy.ts
• src/lib/domain/sandbox/logs.ts
• src/lib/domain/uninstall/paths.ts
• src/lib/domain/uninstall/plan.ts
• src/lib/domain/uninstall/shims.ts
• src/lib/list-command-deps.ts
• src/lib/recover-cli-command.ts
• src/lib/sandbox-config-set-cli-command.ts
• src/lib/status-command-deps.ts
• test/layer-import-boundaries.test.ts
• test/no-direct-credential-env.test.ts
• test/preinstall-node-version.test.ts

💤 Files with no reviewable changes (27)

• src/lib/domain/uninstall/shims.ts
• src/lib/domain/policy-channel.ts
• src/lib/actions/sandbox/status.ts
• src/lib/actions/maintenance.ts
• src/lib/domain/uninstall/paths.ts
• src/lib/sandbox-config-set-cli-command.ts
• src/lib/actions/sandbox/runtime.ts
• src/lib/actions/sandbox/skill-install.ts
• src/lib/domain/sandbox/destroy.ts
• src/lib/domain/sandbox/logs.ts
• src/lib/domain/uninstall/plan.ts
• src/lib/recover-cli-command.ts
• src/lib/actions/sandbox/connect.ts
• src/lib/list-command-deps.ts
• src/lib/actions/upgrade-sandboxes.ts
• src/lib/actions/uninstall-plan.ts
• src/lib/actions/sandbox/snapshot.ts
• src/lib/status-command-deps.ts
• src/lib/actions/sandbox/destroy.ts
• src/lib/actions/sandbox/logs.ts
• src/lib/actions/sandbox/doctor.ts
• src/lib/adapters/openshell/runtime.ts
• src/lib/actions/sandbox/process-recovery.ts
• src/lib/actions/uninstall-run-plan.ts
• src/lib/actions/sandbox/policy-channel.ts
• src/lib/actions/sandbox/gateway-state.ts
• src/lib/actions/sandbox/rebuild.ts

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

♻️ Duplicate comments (1)

src/lib/commands/gateway-token.ts (1)

69-75: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove the stdout error listener after each successful run.

Line 69 uses once, but if no stdout "error" happens, the listener stays registered. Repeated in-process run() calls can accumulate pending listeners and later trigger multiple handlers on one error.

Suggested patch

-    process.stdout.once("error", (err: NodeJS.ErrnoException) => {
+    const onStdoutError = (err: NodeJS.ErrnoException): never | void => {
       if (err.code === "EPIPE") {
         process.exit(0);
         return;
       }
       throw err;
-    });
+    };
+    process.stdout.once("error", onStdoutError);
 
-    const runtime = getRuntimeBridge();
-    const exitCode = runGatewayTokenCommand(
-      args.sandboxName,
-      { quiet: flags.quiet === true },
-      {
-        fetchToken: runtime.fetchGatewayAuthTokenFromSandbox,
-        getSandboxAgent: runtime.getSandboxAgent,
-      },
-    );
-    // NCQ `#3180`: avoid this.exit(code), which throws `@oclif/core` ExitError.
-    // The legacy `nemoclaw <name> gateway-token` dispatch did not catch the
-    // throw, leaking a raw JS stack trace to the user. Always assigning
-    // process.exitCode keeps the diagnostic output clean and prevents a
-    // stale non-zero code from a prior run() in the same process from
-    // bleeding through on a successful invocation.
-    process.exitCode = exitCode;
+    try {
+      const runtime = getRuntimeBridge();
+      const exitCode = runGatewayTokenCommand(
+        args.sandboxName,
+        { quiet: flags.quiet === true },
+        {
+          fetchToken: runtime.fetchGatewayAuthTokenFromSandbox,
+          getSandboxAgent: runtime.getSandboxAgent,
+        },
+      );
+      // NCQ `#3180`: avoid this.exit(code), which throws `@oclif/core` ExitError.
+      // The legacy `nemoclaw <name> gateway-token` dispatch did not catch the
+      // throw, leaking a raw JS stack trace to the user. Always assigning
+      // process.exitCode keeps the diagnostic output clean and prevents a
+      // stale non-zero code from a prior run() in the same process from
+      // bleeding through on a successful invocation.
+      process.exitCode = exitCode;
+    } finally {
+      process.stdout.off("error", onStdoutError);
+    }

#!/bin/bash
# Verify registration exists and cleanup is (or is not) present.
rg -nP --type=ts -C2 'process\.stdout\.once\("error"\s*,\s*' src/lib/commands/gateway-token.ts
rg -nP --type=ts -C2 'process\.stdout\.(off|removeListener)\("error"\s*,' src/lib/commands/gateway-token.ts

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/commands/gateway-token.ts` around lines 69 - 75, The temporary stdout
error listener added with process.stdout.once("error", ...) can remain
registered across repeated in-process run() calls if no error occurs; fix by
extracting the listener into a named function (e.g. const onStdoutError = (err:
NodeJS.ErrnoException) => { ... }) and register it with
process.stdout.once("error", onStdoutError), then always remove it after a
successful run (process.stdout.removeListener("error", onStdoutError) or
process.stdout.off(...)) in the normal completion/cleanup path of the function
that invokes this listener (the run() / gateway-token command flow) so no stale
listeners accumulate.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@src/lib/commands/gateway-token.ts`:
- Around line 69-75: The temporary stdout error listener added with
process.stdout.once("error", ...) can remain registered across repeated
in-process run() calls if no error occurs; fix by extracting the listener into a
named function (e.g. const onStdoutError = (err: NodeJS.ErrnoException) => { ...
}) and register it with process.stdout.once("error", onStdoutError), then always
remove it after a successful run (process.stdout.removeListener("error",
onStdoutError) or process.stdout.off(...)) in the normal completion/cleanup path
of the function that invokes this listener (the run() / gateway-token command
flow) so no stale listeners accumulate.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 67659282-6bb5-4a49-923c-399adc78b295

📥 Commits

Reviewing files that changed from the base of the PR and between 1682bd6 and 803c4f4.

📒 Files selected for processing (20)

• package.json
• scripts/checks/no-coverage-ignore.ts
• src/lib/actions/maintenance.ts
• src/lib/actions/sandbox/connect.ts
• src/lib/actions/sandbox/destroy.ts
• src/lib/actions/sandbox/doctor.ts
• src/lib/actions/sandbox/gateway-state.ts
• src/lib/actions/sandbox/policy-channel.ts
• src/lib/actions/sandbox/process-recovery.ts
• src/lib/actions/sandbox/rebuild.ts
• src/lib/actions/sandbox/skill-install.ts
• src/lib/actions/sandbox/snapshot.ts
• src/lib/actions/sandbox/status.ts
• src/lib/actions/uninstall/plan.ts
• src/lib/actions/uninstall/run-plan.ts
• src/lib/actions/upgrade-sandboxes.ts
• src/lib/commands/gateway-token.ts
• src/lib/commands/uninstall.ts
• src/lib/nim.test.ts
• test/no-coverage-ignore.test.ts

💤 Files with no reviewable changes (14)

• src/lib/actions/maintenance.ts
• src/lib/actions/upgrade-sandboxes.ts
• src/lib/actions/sandbox/status.ts
• src/lib/actions/uninstall/run-plan.ts
• src/lib/actions/sandbox/rebuild.ts
• src/lib/actions/uninstall/plan.ts
• src/lib/actions/sandbox/skill-install.ts
• src/lib/actions/sandbox/connect.ts
• src/lib/actions/sandbox/doctor.ts
• src/lib/actions/sandbox/snapshot.ts
• src/lib/actions/sandbox/process-recovery.ts
• src/lib/actions/sandbox/destroy.ts
• src/lib/actions/sandbox/policy-channel.ts
• src/lib/actions/sandbox/gateway-state.ts

✅ Files skipped from review due to trivial changes (2)

• src/lib/commands/uninstall.ts
• test/no-coverage-ignore.test.ts

[cv]

Maintainer update: synced this branch with current main and resolved the CodeRabbit follow-ups.

Validation:

• Targeted local check: npx tsx scripts/checks/no-coverage-ignore.ts scripts/checks/no-coverage-ignore.ts test/no-coverage-ignore.test.ts src/lib/commands/gateway-token.ts
• Targeted tests: npx vitest run test/no-coverage-ignore.test.ts src/lib/gateway-token-command.test.ts src/lib/nim.test.ts
• Pre-commit and pre-push hooks passed on commit/push, including CLI tests, repository checks, typechecks, shellcheck, gitleaks, docs-to-skills, and source-shape budget.
• GitHub CI is green.

Current merge state is MERGEABLE/BLOCKED only because review is still required.

[cv]

Maintainer update: resynced with latest main again and resolved the new conflict from the inference/onboard module move.\n\nValidation:\n- npm run build:cli\n- npx vitest run src/lib/inference/nim.test.ts test/no-coverage-ignore.test.ts src/lib/gateway-token-command.test.ts\n- Commit hooks passed.\n- Push hooks passed on retry, including full CLI tests, repository checks, typechecks, shellcheck, gitleaks, docs-to-skills, and source-shape budget.\n- GitHub CI is green (all 13 checks).\n\nCurrent state: MERGEABLE/BLOCKED only because reviewer approval is still required.

[cjagwani]

LGTM, approving. Coverage rebaseline is the right call, v8 ignore directives were hiding real gaps, and once this lands the next coverage run on main will be the honest baseline.

[cjagwani]

LGTM, approving. Coverage rebaseline is the right call — v8 ignore directives were hiding real gaps, and once this lands the next coverage run on main will be the honest baseline.

One small thing for future readers: the process.stdout.on(...) → once(...) + rethrow change in src/lib/commands/gateway-token.ts:69-75 is a real behavior shift (was silently swallowing non-EPIPE stdout errors, now surfaces them). It's almost certainly the right call — EBADF/EIO shouldn't be swallowed — but it's the only semantic change in an otherwise pure-tooling PR. Worth a one-line mention in the body or a follow-up commit message so anyone bisecting later doesn't trip on it. Not a blocker.

Thanks for the cleanup.