chore: unify pnpm into a single root workspace

[kyscott18]

Makes the repo root the single pnpm workspace, eliminating the two separate pnpm installs (root Biome-only + self-contained frontend/).

Changes

• Add root pnpm-workspace.yaml with packages: [frontend], moving the pnpm-10 settings (minimumReleaseAge, minimumReleaseAgeExclude, onlyBuiltDependencies, allowBuilds) up from frontend/.
• Root package.json scripts delegating to the workspace: dev/build/start/typecheck → pnpm --filter frontend ..., plus lint → biome check ..
• Delete frontend/pnpm-workspace.yaml and frontend/pnpm-lock.yaml — there is now a single root pnpm-lock.yaml covering root (Biome) + frontend.
• ci.yml: typecheck/build install once at the repo root (dropped working-directory: frontend; cache-dependency-path: pnpm-lock.yaml) and run the root scripts.

Verification (pnpm 10, Node 22, locally)

• pnpm install --frozen-lockfile ✓ (lockfile up to date)
• pnpm typecheck ✓
• pnpm build ✓ (Next 16 production build)
• biome ci ✓ (only the pre-existing noNonNullAssertion warning)

⚠️ Vercel coordination required before merge

This moves the lockfile to the repo root and makes the project a pnpm workspace. The Vercel project settings (Root Directory, Install Command, lockfile detection) live in the dashboard, not this repo — they likely need updating or preview/production deploys can break. Suggested Vercel settings:

• Root Directory: frontend with "Include files outside the root directory" enabled (so the root lockfile/workspace is available), or set Root Directory to repo root with build/output configured for frontend.
• Install Command: pnpm install --frozen-lockfile run at the workspace root.

Please confirm/adjust the Vercel side together with this merge.

Stacked on #101 (linear: #100 → #101 → this) so the rust job is green too. Retarget base to main once the lower PRs merge.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
monode	Ready	Preview, Comment	Jun 9, 2026 7:54pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​tailwindcss@​4.1.17 ⏵ 4.3.0	+1		+1
	npm/​eslint@​9.39.1 ⏵ 9.39.4	+1
	npm/​@​tailwindcss/​postcss@​4.1.17 ⏵ 4.3.0	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm es-abstract is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/eslint-config-next@16.0.6 → npm/es-abstract@1.24.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-abstract@1.24.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm js-yaml is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/eslint@9.39.4 → npm/js-yaml@4.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[greptile-apps]

Greptile Summary

This PR unifies the repository into a single pnpm workspace rooted at the repo root, eliminating the separate frontend/ pnpm install. The root pnpm-workspace.yaml and pnpm-lock.yaml now cover both Biome (root devDependency) and all frontend packages.

• Workspace consolidation: pnpm-workspace.yaml created at root with packages: [frontend]; all pnpm 10 security settings (minimumReleaseAge, allowBuilds, onlyBuiltDependencies) migrated from frontend/pnpm-workspace.yaml.
• CI updated: typecheck and build jobs drop working-directory: frontend and point cache-dependency-path at the root pnpm-lock.yaml; root scripts delegate correctly via pnpm --filter frontend.
• Vercel coordination required: As called out in the PR description, the Vercel project's Root Directory, Install Command, and lockfile detection settings must be updated in the dashboard before or alongside this merge to avoid broken preview/production deploys.

Confidence Score: 5/5

Safe to merge on the repo side; the only outstanding risk is Vercel dashboard configuration, which the author has explicitly called out.

All changes are mechanical: workspace settings migrated verbatim, CI paths updated consistently, and the unified lockfile covers both root and frontend packages. No logic changes, no new runtime code, and the local verification steps in the PR description cover the critical paths.

No files require special attention beyond confirming the Vercel project settings are updated in the dashboard before or alongside merge.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Removes working-directory: frontend defaults and updates cache-dependency-path to root pnpm-lock.yaml for typecheck and build jobs; installs and runs correctly from workspace root.
package.json	Adds workspace root scripts delegating to the frontend package via --filter; adds name, private, and a lint script using biome check .
pnpm-workspace.yaml	New root workspace config declaring frontend as a package and migrating pnpm 10 security/build settings from frontend/pnpm-workspace.yaml.
pnpm-lock.yaml	New root-level lockfile replacing the deleted frontend/pnpm-lock.yaml; covers both root devDependencies (Biome) and the frontend workspace.
frontend/pnpm-lock.yaml	Deleted — superseded by the new root pnpm-lock.yaml that covers the unified workspace.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    subgraph Before
        A[root pnpm install - biome only]
        B[frontend pnpm install - Next.js]
        A -- separate install --> B
    end

    subgraph After
        C[root pnpm install - unified workspace]
        D[frontend - Next.js app]
        C -- workspace member --> D
    end

    subgraph CI
        E[lint - biome standalone]
        F[typecheck - pnpm typecheck]
        G[build - pnpm build]
        F --> D
        G --> D
    end

Loading

_{Reviews (2): Last reviewed commit: "chore: unify pnpm into a single root wor..." | Re-trigger Greptile}

[greptile-apps]

lint script diverges from CI behavior

The CI lint job runs biome ci --linter-enabled=true --formatter-enabled=true directly (via biomejs/setup-biome), while the new root lint script runs biome check .. biome check without --write exits non-zero on violations like biome ci does, but the flag set differs — biome ci hard-enables both linter and formatter regardless of biome.json, whereas biome check . inherits defaults from config. If biome.json disables one of those by default, pnpm lint locally will pass on code that CI rejects, defeating the point of the script.

Prompt To Fix With AI

This is a comment left during a code review.
Path: package.json
Line: 9

Comment:
**`lint` script diverges from CI behavior**

The CI `lint` job runs `biome ci --linter-enabled=true --formatter-enabled=true` directly (via `biomejs/setup-biome`), while the new root `lint` script runs `biome check .`. `biome check` without `--write` exits non-zero on violations like `biome ci` does, but the flag set differs — `biome ci` hard-enables both linter and formatter regardless of biome.json, whereas `biome check .` inherits defaults from config. If `biome.json` disables one of those by default, `pnpm lint` locally will pass on code that CI rejects, defeating the point of the script.

How can I resolve this? If you propose a fix, please make it concise.