fix: make local pre-push pass from a fresh worktree (kill AP-219 time-bomb + repo-lint masked bug)

[isuttell]

Summary

git push from a fresh worktree failed the pre-push hook (pnpm verify + pnpm test:coverage) for two independent latent reasons, both masked on main. This fixes both at the root. Verified: verify 96/96 and test:coverage 37/37 pass, and git push now passes the pre-push hook with no --no-verify.

1. AP-219 route-boundary fixture was a time bomb

route-boundary-fixture.ts seeded artifacts at a frozen fixtureNow = 2026-06-05. Published artifacts get a 72h TTL, so expires_at landed on 2026-06-08. getAgentView enforces expiry against the real wall clock (Date.now(), not injectable), so the "same-workspace agent view" assertion flipped to 404 the moment that date passed. listRevisions doesn't check expiry, which is why only one assertion broke and it masqueraded as a local-vs-CI flake.

It was never random: green before that calendar date, red after, everywhere. Fix: anchor seed time to the real clock (the same fix already applied to the pending upload session) and make the billing current_period_end relative so the windows are always open.

2. repo-lint check pointed at the rewritten README

monorepo-policy required every root script + workspace path to appear in README.md. When the README became a public-facing landing doc (#434), that inventory moved to docs/development.md, so 64/65 scripts and all workspace paths vanished from README. It kept passing on main only because turbo's lint task didn't list the docs it reads as inputs, so the cache replayed a stale pass; a fresh checkout gets a cache miss and fails.

Fix: point the script/workspace/Planned-guard checks at docs/development.md, document the one missing script (security:attest), and add a scoped packages/repo-lint/turbo.json declaring the root docs + workspace manifests as lint inputs so doc drift busts the cache instead of being silently masked again.

Risk

Low. No production code paths change. Fix #1 only touches a test fixture; #2 only touches the repo-lint policy + its turbo inputs + a dev doc. The RLS boundary security coverage is fully preserved (all cross-tenant denial checks still run).

Test plan

• pnpm verify -> 96/96
• pnpm test:coverage -> 37/37
• apps/api suite green (346/346), route-rls-boundary.test.ts passes
• git push passes the pre-push hook without --no-verify

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Documentation

  • Added documentation for the security attestation command.

• Tests

  • Updated test fixtures to use real-time timing instead of hard-coded dates.

• Chores

  • Enhanced monorepo validation to use development documentation.
  • Added Turbo task configuration for repository linting.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 0e23ef0a-b26f-4ac0-ab47-35ff41d453af

📥 Commits

Reviewing files that changed from the base of the PR and between 0e1eadd and fec86c2.

📒 Files selected for processing (4)

• docs/development.md
• packages/db/src/test-helpers/route-boundary-fixture.ts
• packages/repo-lint/src/monorepo-policy.mjs
• packages/repo-lint/turbo.json

---

📝 Walkthrough

Walkthrough

The PR establishes docs/development.md as the canonical source for workspace and script inventory validation in the monorepo policy checker, adds the pnpm security:attest command to documentation, updates test fixture timing to use the real clock, and configures Turbo to track documentation input changes for the lint task.

Changes

Documentation and Repository Validation

Layer / File(s)	Summary
Security attestation command and development doc validation docs/development.md, packages/repo-lint/src/monorepo-policy.mjs	Adds pnpm security:attest command to docs/development.md. Refactors monorepo-policy.mjs to read and validate docs/development.md as the source for workspace and root-script inventory instead of README.md, introducing validateDevelopmentDoc() and deriving "implemented readmes" markers from documented workspace references.
Turbo lint task configuration packages/repo-lint/turbo.json	New Turbo pipeline configuration for the lint task, with file-based inputs including docs/development.md, README.md, package.json, and workspace definitions to trigger linting on documentation or configuration changes.

Test Fixture Real-Time Anchoring

Layer / File(s)	Summary
Real-time clock in test fixture packages/db/src/test-helpers/route-boundary-fixture.ts	fixtureNow is switched from a fixed ISO timestamp to new Date().toISOString(), and workspace_billing.current_period_end is computed relative to now() using now() + interval '30 days' instead of a hard-coded date, aligning seeded test data with real-time behavior.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

• AP-219: The fixture change to use real-time clock anchoring directly affects the PGlite route-boundary test matrix, where seeded timestamps and billing periods are critical for isolation testing.

Possibly related PRs

• zaks-io/agent-paste#65: Updates the same monorepo-policy.mjs script to align workspace and script validation, with overlapping logic for inventory sourcing and documentation tracking.

Poem

🐰 The Rabbit's Ode to Documentation Sync

From README's dusty shelf we freed our facts,
Now docs/development holds the artifact tracks,
With real-time clocks that never grow stale,
And Turbo pipelines won't miss a detail—
The monorepo breathes, the fixtures now wake! 🌙✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR addresses AP-219 and repo-lint issues but does not implement the linked apex marketing worker feature or comprehensive route-boundary coverage matrix requirements.	Clarify ticket relationships or relink to reflect this PR's actual scope as fixes unblocking separate deliverables.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: fixing local pre-push failures from fresh worktrees by addressing two specific issues.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the two identified issues: test fixture timing alignment, repo-lint policy validation, and turbo configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/local-prepush-green

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

agent-paste PR preview is ready.

API: https://agent-paste-api-pr-438.isaac-a46.workers.dev
Upload: https://agent-paste-upload-pr-438.isaac-a46.workers.dev
Content: https://agent-paste-content-pr-438.isaac-a46.workers.dev
Jobs: https://agent-paste-jobs-pr-438.isaac-a46.workers.dev
Apex: https://agent-paste-apex-pr-438.isaac-a46.workers.dev
Web (login): https://pr-438.preview.agent-paste.sh (first deploy: allow a few minutes for the TLS cert)
Neon branch: https://console.neon.tech/app/projects/still-forest-91029005/branches/br-lucky-shape-apip5mdt

[github-actions]

agent-paste PR preview resources were cleaned up. The shared Preview GitHub Environment is retained for future preview deploys.