From 4bcd80c33d0c19c8a3c0819a5d07403a5b48d038 Mon Sep 17 00:00:00 2001
From: Shinwoo PARK <shinwoo.park@psw.kr>
Date: Mon, 11 May 2026 19:06:50 +0900
Subject: [PATCH] build: fetch identitydb as remote dependency

---
 .gitea/workflows/npm-release.yml | 34 --------------------------------
 README.md                        |  2 +-
 bun.lock                         | 11 +++++++----
 package.json                     |  9 +++++++--
 tests/release-config.test.ts     | 31 +++++++++++++++++++++++++++++
 5 files changed, 46 insertions(+), 41 deletions(-)
 create mode 100644 tests/release-config.test.ts

diff --git a/.gitea/workflows/npm-release.yml b/.gitea/workflows/npm-release.yml
index 712b145..79ff0f0 100644
--- a/.gitea/workflows/npm-release.yml
+++ b/.gitea/workflows/npm-release.yml
@@ -41,23 +41,6 @@ jobs:
           git -c http.extraHeader="Authorization: Basic $AUTH_HEADER" clone --depth 1 --branch "${{ gitea.ref_name }}" "$REPO_URL" repo
           git -C repo rev-parse HEAD
 
-      - name: Clone IdentityDB dependency
-        run: |
-          set -euo pipefail
-          REPO_SLUG="${{ gitea.repository }}"
-          REPO_OWNER="${REPO_SLUG%%/*}"
-          IDENTITYDB_URL="${{ gitea.server_url }}/${REPO_OWNER}/IdentityDB.git"
-          AUTH_HEADER="$(printf '%s' '${{ gitea.actor }}:${{ secrets.GITEA_TOKEN }}' | base64 -w0)"
-          git -c http.extraHeader="Authorization: Basic $AUTH_HEADER" clone --depth 1 "$IDENTITYDB_URL" IdentityDB
-          git -C IdentityDB rev-parse HEAD
-
-      - name: Build IdentityDB dependency
-        working-directory: IdentityDB
-        run: |
-          set -euo pipefail
-          bun install --frozen-lockfile
-          bun run build
-
       - name: Verify release tag matches package version
         working-directory: repo
         run: |
@@ -111,23 +94,6 @@ jobs:
           git -c http.extraHeader="Authorization: Basic $AUTH_HEADER" clone --depth 1 --branch "${{ gitea.ref_name }}" "$REPO_URL" repo
           git -C repo rev-parse HEAD
 
-      - name: Clone IdentityDB dependency
-        run: |
-          set -euo pipefail
-          REPO_SLUG="${{ gitea.repository }}"
-          REPO_OWNER="${REPO_SLUG%%/*}"
-          IDENTITYDB_URL="${{ gitea.server_url }}/${REPO_OWNER}/IdentityDB.git"
-          AUTH_HEADER="$(printf '%s' '${{ gitea.actor }}:${{ secrets.GITEA_TOKEN }}' | base64 -w0)"
-          git -c http.extraHeader="Authorization: Basic $AUTH_HEADER" clone --depth 1 "$IDENTITYDB_URL" IdentityDB
-          git -C IdentityDB rev-parse HEAD
-
-      - name: Build IdentityDB dependency
-        working-directory: IdentityDB
-        run: |
-          set -euo pipefail
-          bun install --frozen-lockfile
-          bun run build
-
       - name: Install dependencies
         working-directory: repo
         run: |
diff --git a/README.md b/README.md
index 3e277f1..33e2741 100644
--- a/README.md
+++ b/README.md
@@ -38,7 +38,7 @@ bun run build
 
 Tagging `vX.Y.Z` or `X.Y.Z` triggers the Gitea npm release workflow under `.gitea/workflows/npm-release.yml`.
 
-Because BoxBrain currently consumes IdentityDB through the sibling `file:../IdentityDB` dependency during active development, the release workflow clones and builds `IdentityDB` first, then runs BoxBrain install/test/build/publish steps against that prepared sibling checkout.
+BoxBrain now fetches IdentityDB as a remote git dependency through Bun instead of relying on a sibling local checkout, and `trustedDependencies` allows Bun to run the required lifecycle scripts for `identitydb`, `better-sqlite3`, and `esbuild` during clean installs.
 
 ## Current status
 
diff --git a/bun.lock b/bun.lock
index a84efdd..11ff7e4 100644
--- a/bun.lock
+++ b/bun.lock
@@ -5,7 +5,7 @@
     "": {
       "name": "boxbrain",
       "dependencies": {
-        "identitydb": "file:../IdentityDB",
+        "identitydb": "git+https://git.psw.kr/p-sw/IdentityDB.git#664d0582bc6b10faaccd2db61f2400bac81c5af5",
       },
       "devDependencies": {
         "@types/node": "^24.0.0",
@@ -15,6 +15,11 @@
       },
     },
   },
+  "trustedDependencies": [
+    "esbuild",
+    "better-sqlite3",
+    "identitydb",
+  ],
   "packages": {
     "@esbuild/aix-ppc64": ["@esbuild/aix-ppc64@0.27.7", "", { "os": "aix", "cpu": "ppc64" }, "sha512-EKX3Qwmhz1eMdEJokhALr0YiD0lhQNwDqkPYyPhiSwKrh7/4KRjQc04sZ8db+5DVVnZ1LmbNDI1uAMPEUBnQPg=="],
 
@@ -228,7 +233,7 @@
 
     "iconv-lite": ["iconv-lite@0.7.2", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw=="],
 
-    "identitydb": ["identitydb@file:../IdentityDB", { "dependencies": { "better-sqlite3": "^12.1.1", "kysely": "^0.28.8", "mysql2": "^3.15.3", "pg": "^8.16.0" }, "devDependencies": { "@types/better-sqlite3": "^7.6.13", "@types/node": "^24.0.0", "@types/pg": "^8.20.0", "tsup": "^8.5.0", "typescript": "^5.8.3", "vitest": "^3.2.4" } }],
+    "identitydb": ["identitydb@git+https://git.psw.kr/p-sw/IdentityDB.git#664d0582bc6b10faaccd2db61f2400bac81c5af5", { "dependencies": { "@types/better-sqlite3": "^7.6.13", "@types/pg": "^8.20.0", "better-sqlite3": "^12.1.1", "kysely": "^0.28.8", "mysql2": "^3.15.3", "pg": "^8.16.0" } }, "664d0582bc6b10faaccd2db61f2400bac81c5af5"],
 
     "ieee754": ["ieee754@1.2.1", "", {}, "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA=="],
 
@@ -417,7 +422,5 @@
     "wrappy": ["wrappy@1.0.2", "", {}, "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="],
 
     "xtend": ["xtend@4.0.2", "", {}, "sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ=="],
-
-    "estree-walker/@types/estree": ["@types/estree@1.0.9", "", {}, "sha512-GhdPgy1el4/ImP05X05Uw4cw2/M93BCUmnEvWZNStlCzEKME4Fkk+YpoA5OiHNQmoS7Cafb8Xa3Pya8m1Qrzeg=="],
   }
 }
diff --git a/package.json b/package.json
index 8952bd5..c75cd0f 100644
--- a/package.json
+++ b/package.json
@@ -37,12 +37,17 @@
     "simulation"
   ],
   "dependencies": {
-    "identitydb": "file:../IdentityDB"
+    "identitydb": "git+https://git.psw.kr/p-sw/IdentityDB.git#664d0582bc6b10faaccd2db61f2400bac81c5af5"
   },
   "devDependencies": {
     "@types/node": "^24.0.0",
     "tsup": "^8.5.0",
     "typescript": "^5.8.3",
     "vitest": "^3.2.4"
-  }
+  },
+  "trustedDependencies": [
+    "better-sqlite3",
+    "esbuild",
+    "identitydb"
+  ]
 }
diff --git a/tests/release-config.test.ts b/tests/release-config.test.ts
new file mode 100644
index 0000000..2cf5afc
--- /dev/null
+++ b/tests/release-config.test.ts
@@ -0,0 +1,31 @@
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { describe, expect, it } from 'vitest';
+
+describe('release config', () => {
+  it('depends on a remote IdentityDB package source instead of a local file path', () => {
+    const packageJson = JSON.parse(
+      readFileSync(join(process.cwd(), 'package.json'), 'utf8'),
+    ) as {
+      dependencies?: Record<string, string>;
+      trustedDependencies?: string[];
+    };
+
+    expect(packageJson.dependencies?.identitydb).toMatch(
+      /^git\+https:\/\/git\.psw\.kr\/p-sw\/IdentityDB\.git#[0-9a-f]{40}$/,
+    );
+    expect(packageJson.trustedDependencies).toEqual(
+      expect.arrayContaining(['better-sqlite3', 'esbuild', 'identitydb']),
+    );
+  });
+
+  it('publishes without cloning a sibling IdentityDB repository first', () => {
+    const workflow = readFileSync(
+      join(process.cwd(), '.gitea/workflows/npm-release.yml'),
+      'utf8',
+    );
+
+    expect(workflow).not.toContain('Clone IdentityDB dependency');
+    expect(workflow).not.toContain('IDENTITYDB_URL');
+  });
+});