ci: add-fixtures-and-generate-bundles

.github/workflows/ci.yml

@@ -198,3 +198,55 @@ jobs:
 
             ---
             <sub>🔄 Updated automatically on each push to this PR</sub>
+
+      - name: Download feature bundle baseline
+        uses: dawidd6/action-download-artifact@v3
+        with:
+          workflow: publish.yml
+          branch: main
+          name: bundle-feature-baseline
+          path: e2e/bundle-check-app
+          if_no_artifact_found: warn
+        continue-on-error: true
+
+      - name: Run feature bundle check
+        id: bundle-features
+        run: |
+          pnpm nx nxBundle bundle-check-app --skip-sync --no-agents
+          {
+            echo 'report<<BUNDLE_FEATURE_EOF'
+            cat e2e/bundle-check-app/dist/bundle-feature-report.md
+            echo 'BUNDLE_FEATURE_EOF'
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Find feature bundle comment
+        id: find-feature-comment
+        uses: peter-evans/find-comment@v4
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: <!-- bundle-feature-check -->
+
+      - name: Create or update feature bundle comment
+        uses: peter-evans/create-or-update-comment@v5
+        with:
+          comment-id: ${{ steps.find-feature-comment.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          edit-mode: replace
+          body: |
+            <!-- bundle-feature-check -->
+            ## Tree-shaken Feature Bundle Sizes
+
+            Minified + gzip level-9 cost of each SDK feature in isolation, as a consumer would receive it.
+
+            ${{ steps.bundle-features.outputs.report }}
+
+            <details>
+            <summary>How these are measured</summary>
+
+            Each fixture imports a single feature and is bundled with Rollup + esbuild + terser (full minification, ESM, tree-shaking on). Numbers reflect what a consumer ships and what their users download, not the raw dist size.
+
+            </details>
+
+            ---
+            <sub>Updated automatically on each push to this PR</sub>

.github/workflows/publish.yml

@@ -93,6 +93,16 @@ jobs:
           path: previous_sizes.json
           retention-days: 30
 
+      - name: Run feature bundle check
+        run: pnpm nx nxBundle bundle-check-app --skip-sync
+
+      - name: Upload feature bundle baseline
+        uses: actions/upload-artifact@v5
+        with:
+          name: bundle-feature-baseline
+          path: e2e/bundle-check-app/dist/bundle-feature-baseline.json
+          retention-days: 30
+
   snapshot:
     # Guard against publishing snapshots from the protected release branch.
     if: >-

e2e/bundle-check-app/fixtures/davinci-client-flow.ts

@@ -0,0 +1,31 @@
+import { davinci } from '@forgerock/davinci-client';
+
+const client = await davinci({
+  config: {
+    serverConfig: { wellknown: 'https://example.com/.well-known/openid-configuration' },
+    clientId: 'test-client',
+    redirectUri: 'https://example.com/callback',
+    scope: 'openid profile',
+  },
+});
+
+let node = await client.start();
+
+// Walk the flow until it reaches a terminal node
+while (node.status === 'continue') {
+  for (const collector of node.collectors) {
+    if (collector.category === 'SingleValueCollector' && collector.type === 'TextCollector') {
+      client.update(collector)('test-value');
+    }
+    if (collector.category === 'SingleValueCollector' && collector.type === 'PasswordCollector') {
+      client.update(collector)('test-password');
+    }
+  }
+  node = await client.next();
+}
+
+if (node.status === 'success') {
+  console.log('Login successful', node.session);
+} else if (node.status === 'error' || node.status === 'failure') {
+  console.error('Login failed', node.error);
+}

e2e/bundle-check-app/fixtures/davinci-client.ts

@@ -0,0 +1,13 @@
+import { davinci } from '@forgerock/davinci-client';
+
+const client = await davinci({
+  config: {
+    serverConfig: { wellknown: 'https://example.com/.well-known/openid-configuration' },
+    clientId: 'test-client',
+    redirectUri: 'https://example.com/callback',
+    scope: 'openid profile',
+  },
+});
+
+const node = await client.start();
+console.log(node);

e2e/bundle-check-app/fixtures/device-client.ts

@@ -0,0 +1,20 @@
+import { deviceClient } from '@forgerock/device-client';
+
+const client = deviceClient({
+  serverConfig: {
+    baseUrl: 'https://example.com/am',
+  },
+  realmPath: 'root',
+});
+
+// Retrieve OATH (TOTP/HOTP) devices for a user
+const oathDevices = await client.oath.get({
+  userId: 'user@example.com',
+});
+console.log(oathDevices);
+
+// Retrieve Push notification devices
+const pushDevices = await client.push.get({
+  userId: 'user@example.com',
+});
+console.log(pushDevices);

e2e/bundle-check-app/fixtures/effect-barrel-option.ts

@@ -0,0 +1,13 @@
+// Same usage but imports from the top-level 'effect' barrel instead of 'effect/Option'
+// Tests whether the barrel import prevents tree-shaking vs the subpath
+import { Option, pipe } from 'effect';
+
+const result = pipe(
+  Option.fromNullable(Math.random() > 0.5 ? 'hello' : null),
+  Option.match({
+    onNone: () => 'none',
+    onSome: (v) => v.toUpperCase(),
+  }),
+);
+
+console.log(result);

e2e/bundle-check-app/fixtures/effect-subpath-option.ts

@@ -0,0 +1,14 @@
+// Imports Option via the subpath: effect/Option
+// Tests whether Rollup tree-shakes to only fromNullable + match
+import * as Option from 'effect/Option';
+import { pipe } from 'effect/Function';
+
+const result = pipe(
+  Option.fromNullable(Math.random() > 0.5 ? 'hello' : null),
+  Option.match({
+    onNone: () => 'none',
+    onSome: (v) => v.toUpperCase(),
+  }),
+);
+
+console.log(result);

e2e/bundle-check-app/fixtures/journey-client-device.ts

@@ -0,0 +1,14 @@
+import { journey } from '@forgerock/journey-client';
+import { Device } from '@forgerock/journey-client/device';
+
+const client = await journey({
+  config: { serverConfig: { wellknown: 'https://example.com/.well-known/openid-configuration' } },
+});
+
+const step = await client.start();
+
+if (step.type === 'Step') {
+  const device = new Device();
+  const profile = await device.getProfile({ collectLocation: false });
+  console.log(profile);
+}

e2e/bundle-check-app/fixtures/journey-client-policy.ts

@@ -0,0 +1,13 @@
+import { journey } from '@forgerock/journey-client';
+import { Policy } from '@forgerock/journey-client/policy';
+
+const client = await journey({
+  config: { serverConfig: { wellknown: 'https://example.com/.well-known/openid-configuration' } },
+});
+
+const step = await client.start();
+
+if (step.type === 'Step') {
+  const errors = Policy.parseErrors(step.callbacks);
+  console.log(errors);
+}

e2e/bundle-check-app/fixtures/journey-client-qr-code.ts

@@ -0,0 +1,13 @@
+import { journey } from '@forgerock/journey-client';
+import { QRCode } from '@forgerock/journey-client/qr-code';
+
+const client = await journey({
+  config: { serverConfig: { wellknown: 'https://example.com/.well-known/openid-configuration' } },
+});
+
+const step = await client.start();
+
+if (step.type === 'Step') {
+  const qrCode = QRCode.getQRCodeData(step);
+  console.log(qrCode);
+}

e2e/bundle-check-app/fixtures/journey-client-recovery-codes.ts

@@ -0,0 +1,13 @@
+import { journey } from '@forgerock/journey-client';
+import { RecoveryCodes } from '@forgerock/journey-client/recovery-codes';
+
+const client = await journey({
+  config: { serverConfig: { wellknown: 'https://example.com/.well-known/openid-configuration' } },
+});
+
+const step = await client.start();
+
+if (step.type === 'Step') {
+  const codes = RecoveryCodes.getCodes(step);
+  console.log(codes);
+}

e2e/bundle-check-app/fixtures/journey-client-webauthn.ts

@@ -0,0 +1,16 @@
+import { journey } from '@forgerock/journey-client';
+import { WebAuthn, WebAuthnStepType } from '@forgerock/journey-client/webauthn';
+
+const client = await journey({
+  config: { serverConfig: { wellknown: 'https://example.com/.well-known/openid-configuration' } },
+});
+
+let step = await client.start();
+
+while (step.type === 'Step') {
+  const stepType = WebAuthn.getWebAuthnStepType(step);
+  if (stepType === WebAuthnStepType.Authenticate || stepType === WebAuthnStepType.Register) {
+    await WebAuthn.getWebAuthnOutcome(step);
+  }
+  step = await client.next(step);
+}

e2e/bundle-check-app/fixtures/journey-client.ts

@@ -0,0 +1,15 @@
+import { journey } from '@forgerock/journey-client';
+
+const client = await journey({
+  config: { serverConfig: { wellknown: 'https://example.com/.well-known/openid-configuration' } },
+});
+
+let step = await client.start();
+
+while (step.type === 'Step') {
+  if (step.callbacks.some((cb) => cb.type === 'RedirectCallback')) {
+    await client.redirect(step);
+    break;
+  }
+  step = await client.next(step);
+}

e2e/bundle-check-app/fixtures/journey-full.ts

@@ -0,0 +1,35 @@
+/**
+ * Realistic consumer pattern: journey authentication + WebAuthn + device fingerprinting.
+ * Mirrors what a real app would import for a complete login experience.
+ */
+import { journey } from '@forgerock/journey-client';
+import { WebAuthn } from '@forgerock/journey-client/webauthn';
+import { Device } from '@forgerock/journey-client/device';
+
+const config = {
+  serverConfig: { wellknown: 'https://example.com/.well-known/openid-configuration' },
+};
+
+// Collect device profile before authentication
+const device = new Device();
+const profile = await device.getProfile({ location: false, metadata: false });
+console.log('device profile collected', profile);
+
+const client = await journey({ config });
+let step = await client.start();
+
+while (step.type === 'Step') {
+  // Check if this step requires WebAuthn
+  const webAuthnType = WebAuthn.getWebAuthnStepType(step);
+  if (webAuthnType !== 'None') {
+    console.log('webauthn step type', webAuthnType);
+  }
+
+  step = await client.next(step);
+}
+
+if (step.type === 'LoginSuccess') {
+  console.log('authenticated', step.getSessionToken());
+} else if (step.type === 'LoginFailure') {
+  console.error('authentication failed', step);
+}

e2e/bundle-check-app/fixtures/oidc-client-logout.ts

@@ -0,0 +1,22 @@
+import { oidc } from '@forgerock/oidc-client';
+
+const client = await oidc({
+  config: {
+    serverConfig: { wellknown: 'https://example.com/.well-known/openid-configuration' },
+    clientId: 'test-client',
+    redirectUri: 'https://example.com/callback',
+    scope: 'openid profile',
+  },
+});
+
+if ('error' in client) {
+  console.error(client.error);
+} else {
+  // Revoke tokens (server-side invalidation)
+  const revokeResult = await client.token.revoke();
+  console.log(revokeResult);
+
+  // Full logout (revoke + end session endpoint)
+  const logoutResult = await client.logout();
+  console.log(logoutResult);
+}

e2e/bundle-check-app/fixtures/oidc-client-token.ts

@@ -0,0 +1,30 @@
+import { oidc } from '@forgerock/oidc-client';
+
+const client = await oidc({
+  config: {
+    serverConfig: { wellknown: 'https://example.com/.well-known/openid-configuration' },
+    clientId: 'test-client',
+    redirectUri: 'https://example.com/callback',
+    scope: 'openid profile',
+  },
+});
+
+if ('error' in client) {
+  console.error(client.error);
+} else {
+  // Token exchange after authorization code callback
+  const tokens = await client.token.exchange('auth-code-123', 'state-abc');
+  if ('error' in tokens) {
+    console.error(tokens.error);
+  } else {
+    console.log(tokens);
+  }
+
+  // Retrieve stored tokens (with auto-renew if backgroundRenew is set)
+  const stored = await client.token.get({ backgroundRenew: false });
+  if ('error' in stored) {
+    console.error(stored.error);
+  } else {
+    console.log(stored);
+  }
+}

e2e/bundle-check-app/fixtures/oidc-client.ts

@@ -0,0 +1,13 @@
+import { oidc } from '@forgerock/oidc-client';
+
+const client = await oidc({
+  config: {
+    serverConfig: { wellknown: 'https://example.com/.well-known/openid-configuration' },
+    clientId: 'test-client',
+    redirectUri: 'https://example.com/callback',
+    scope: 'openid profile',
+  },
+});
+
+const url = await client.getAuthorizationUrl();
+console.log(url);

e2e/bundle-check-app/fixtures/protect.ts

@@ -0,0 +1,15 @@
+import { protect } from '@forgerock/protect';
+
+const api = protect({
+  envId: 'example-env-id',
+  behavioralDataCollection: true,
+});
+
+const startResult = await api.start();
+
+if (startResult && 'error' in startResult) {
+  console.error(startResult.error);
+} else {
+  const data = await api.getData();
+  console.log(data);
+}

e2e/bundle-check-app/fixtures/redirect.ts

@@ -0,0 +1,11 @@
+import { journey } from '@forgerock/journey-client';
+
+const client = await journey({
+  config: { serverConfig: { wellknown: 'https://example.com/.well-known/openid-configuration' } },
+});
+
+const step = await client.start();
+
+if (step.type === 'Step') {
+  await client.redirect(step);
+}