test: guard runtime-agnostic dist entries against node-builtin imports

[antfu]

Summary

• Adds packages/devframe/test/runtime-agnostic.test.ts, which walks the transitive import graph of devframe/client and the 10 runtime-agnostic devframe/utils/* entries and fails on any node:* / bare-builtin import or require() call.
• The test surfaced that tsdown's CJS-interop shim imports node:module#createRequire, so every agnostic entry that transitively bundled a CJS dep was tainted; human-id (pure CJS) and ansis (ESM that re-exports from .cjs) were the offenders pulling the shim into utils/human-id, utils/colors, and (via human-id) client/index.
• Vendors human-id@4.1.3 inline in src/utils/human-id.ts (~30 LOC + MIT-licensed word lists) and replaces ansis@4.3.0 with a small inline ANSI palette in src/utils/colors.ts; drops both deps from package.json, the tsdown onlyBundle list, and the pnpm workspace catalogs.
• Two tsnapi snapshots updated to reflect the now-direct export function / export const shapes; full pre-PR run (pnpm lint && pnpm test && pnpm typecheck && pnpm build) is green with 317/317 tests passing.

Test plan

• pnpm --filter devframe build && pnpm exec vitest run --project devframe runtime-agnostic — 11/11 entries green
• Sanity check: temporarily inject import { readFileSync } from 'node:fs' into src/utils/nanoid.ts, rebuild — guard reports 4 entries red (nanoid + 3 transitive consumers); revert
• pnpm lint && pnpm test && pnpm typecheck && pnpm build — all clean

[netlify]

✅ Deploy Preview for devfra ready!

Name	Link
🔨 Latest commit	0055f73
🔍 Latest deploy log	https://app.netlify.com/projects/devfra/deploys/6a0566f22801e60008ecabb3
😎 Deploy Preview	https://deploy-preview-15--devfra.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Copilot]

Pull request overview

Adds a runtime-agnostic dist-entry guard for devframe/client and selected devframe/utils/* exports, and removes Node-builtin taint by inlining small replacements for human-id and ansis.

Changes:

• Added a Vitest guard that scans built dist entries for Node builtin imports/requires.
• Vendored humanId() word-list generation and replaced ansis with a minimal inline ANSI color palette.
• Removed human-id/ansis package wiring and updated API snapshots.

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
packages/devframe/test/runtime-agnostic.test.ts	Adds dist-entry scan for Node builtin imports.
packages/devframe/src/utils/human-id.ts	Replaces external human-id dependency with inline implementation.
packages/devframe/src/utils/colors.ts	Replaces ansis with inline color functions.
packages/devframe/package.json	Removes direct/inlined dependency declarations.
packages/devframe/tsdown.config.ts	Removes deleted deps from bundling allowlist.
pnpm-workspace.yaml	Removes deleted deps from catalogs.
pnpm-lock.yaml	Updates lockfile after dependency removals.
tests/__snapshots__/tsnapi/devframe/utils/human-id.snapshot.js	Updates public API snapshot shape.
tests/__snapshots__/tsnapi/devframe/utils/colors.snapshot.js	Updates public API snapshot shape.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.