Refactor/fix standards violations (#43)

* chore: fix command export default issue

* refactor(packages/core,packages/cli): fix coding standards violations

Replace `as` type assertions with type annotations, type guards, and
documented exceptions. Replace `try/catch` blocks with `attempt` and
`attemptAsync` from es-toolkit. Replace multi-branch if/else chains
with ts-pattern `match` expressions. Rename `redactPaths` to
`REDACT_PATHS`. Document intentional mutation and throw exceptions.

Closes #12, #15, #18, #20, #21, #33

Co-Authored-By: Claude <noreply@anthropic.com>

* chore: missing work

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: zrosenbauer

CLAUDE.md

@@ -29,7 +29,7 @@ You are a strict functional programmer. You write pure, immutable, declarative T
 | [tsdown](https://tsdown.dev)                           | Bundler                 | [llms.txt](https://tsdown.dev/llms.txt) \| [llms-full.txt](https://tsdown.dev/llms-full.txt) |
 | [OXC](https://oxc.rs) (oxlint)                         | Linting                 | [llms.txt](https://oxc.rs/llms.txt)                                                          |
 | [Vitest](https://vitest.dev)                           | Testing                 | [GitHub](https://github.com/vitest-dev/vitest)                                               |
-| [type-fest](https://github.com/sindresorhus/type-fest) | Type utilities           | [GitHub](https://github.com/sindresorhus/type-fest)                                          |
+| [type-fest](https://github.com/sindresorhus/type-fest) | Type utilities          | [GitHub](https://github.com/sindresorhus/type-fest)                                          |
 | [Changesets](https://github.com/changesets/changesets) | Versioning & publishing | [GitHub](https://github.com/changesets/changesets)                                           |
 
 ## Commands

MIDDLEWARE.md

@@ -148,8 +148,8 @@ const loadUser = middleware<{ Variables: { user: User } }>(async (ctx, next) =>
 export default command({
   middleware: [loadUser],
   handler: async (ctx) => {
-    ctx.user        // User -- type-safe, scoped to this command
-    ctx.user.role   // 'admin' | 'user'
+    ctx.user // User -- type-safe, scoped to this command
+    ctx.user.role // 'admin' | 'user'
   },
 })
 ```
@@ -226,10 +226,7 @@ http({
 ```ts
 function compose(...middlewares: readonly Middleware[]): Middleware {
   return middleware(async (ctx, next) => {
-    const chain = middlewares.reduceRight(
-      (nextFn, mw) => () => mw.handler(ctx, nextFn),
-      next,
-    )
+    const chain = middlewares.reduceRight((nextFn, mw) => () => mw.handler(ctx, nextFn), next)
     await chain()
   })
 }
@@ -252,47 +249,46 @@ auth({
 })
 
 // After -- root middleware
-auth({
+;(auth({
   strategies: [
     auth.env(),
     auth.file(),
     auth.oauth({ clientId: '...', authUrl: '...', tokenUrl: '...' }),
     auth.token(),
   ],
 }),
-http({
-  baseUrl: 'https://api.example.com',
-  namespace: 'api',
-  headers: auth.headers(),
-}),
-
-// After -- login command (no change for simple case)
-await ctx.auth.login()
+  http({
+    baseUrl: 'https://api.example.com',
+    namespace: 'api',
+    headers: auth.headers(),
+  }),
+  // After -- login command (no change for simple case)
+  await ctx.auth.login())
 ```
 
-| Concern | Current | Proposed |
-| ------- | ------- | -------- |
-| Passive resolution | `auth({ resolvers: [env, file, ...interactive] })` | `auth({ strategies: [env, file, ...interactive] })` |
-| Interactive login | `ctx.auth.login()` walks global resolvers | `ctx.auth.login()` (same), or override with `{ strategies }` |
-| Auth enforcement | User writes custom middleware | `auth.require()` built-in |
-| HTTP + auth wiring | `auth({ http: { ... } })` bundled, implicit | `http({ headers: auth.headers() })` explicit |
-| Targeted strategy | Not possible | `ctx.auth.login({ strategies: [auth.token()] })` |
-| Bundle middleware | Not possible | `compose(mw1, mw2, mw3)` |
-| Context type safety | Global module augmentation | `middleware<{ Variables: { ... } }>()` per-middleware |
+| Concern             | Current                                            | Proposed                                                     |
+| ------------------- | -------------------------------------------------- | ------------------------------------------------------------ |
+| Passive resolution  | `auth({ resolvers: [env, file, ...interactive] })` | `auth({ strategies: [env, file, ...interactive] })`          |
+| Interactive login   | `ctx.auth.login()` walks global resolvers          | `ctx.auth.login()` (same), or override with `{ strategies }` |
+| Auth enforcement    | User writes custom middleware                      | `auth.require()` built-in                                    |
+| HTTP + auth wiring  | `auth({ http: { ... } })` bundled, implicit        | `http({ headers: auth.headers() })` explicit                 |
+| Targeted strategy   | Not possible                                       | `ctx.auth.login({ strategies: [auth.token()] })`             |
+| Bundle middleware   | Not possible                                       | `compose(mw1, mw2, mw3)`                                     |
+| Context type safety | Global module augmentation                         | `middleware<{ Variables: { ... } }>()` per-middleware        |
 
 ---
 
 ## Build Readiness
 
-| Component | Status | Notes |
-| --------- | ------ | ----- |
-| `http()` with explicit `headers` | **Ready to build** | Add `auth: false` default, remove `ctx.auth` magic. Already supports `headers: (ctx) => ...`. |
-| `auth.headers()` | **Ready to build** | Small factory function. Uses existing `buildAuthHeaders()`. |
-| `auth.require()` | **Ready to build** | Already documented as a pattern. Move into the `auth` namespace. |
-| `compose()` | **Ready to build** | ~10 lines. `reduceRight` over middleware handlers. |
-| `login({ strategies })` | Design finalized | Optional override. Requires refactoring `runStrategyChain` to accept filtered list. |
-| `resolvers` → `strategies` rename | Design finalized | Non-breaking if old key is kept as alias during migration. |
-| Remove `auth({ http })` option | Design finalized | Deprecate, then remove. Replaced by standalone `http()` + `auth.headers()`. |
+| Component                            | Status             | Notes                                                                                                                                 |
+| ------------------------------------ | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------- |
+| `http()` with explicit `headers`     | **Ready to build** | Add `auth: false` default, remove `ctx.auth` magic. Already supports `headers: (ctx) => ...`.                                         |
+| `auth.headers()`                     | **Ready to build** | Small factory function. Uses existing `buildAuthHeaders()`.                                                                           |
+| `auth.require()`                     | **Ready to build** | Already documented as a pattern. Move into the `auth` namespace.                                                                      |
+| `compose()`                          | **Ready to build** | ~10 lines. `reduceRight` over middleware handlers.                                                                                    |
+| `login({ strategies })`              | Design finalized   | Optional override. Requires refactoring `runStrategyChain` to accept filtered list.                                                   |
+| `resolvers` → `strategies` rename    | Design finalized   | Non-breaking if old key is kept as alias during migration.                                                                            |
+| Remove `auth({ http })` option       | Design finalized   | Deprecate, then remove. Replaced by standalone `http()` + `auth.headers()`.                                                           |
 | Typed middleware (`middleware<E>()`) | **Ready to build** | Pure type-level change. Uses `decorateContext` for runtime, generics + `InferVariables` for type inference. No `ctx.set()`/`ctx.var`. |
 
 ---
@@ -338,7 +334,9 @@ Onion model -- root wraps command, command wraps handler. Short-circuit by not c
 decorateContext(ctx, 'api', httpClient)
 
 declare module '@kidd-cli/core' {
-  interface Context { readonly api: HttpClient }
+  interface Context {
+    readonly api: HttpClient
+  }
 }
 ```
 
@@ -377,8 +375,8 @@ jwt({ secret: '...', alg: 'HS256' })                         // auto-decorates c
 Lifecycle hooks, not middleware chain. Auth uses separate focused plugins composed via `@fastify/auth`:
 
 ```ts
-fastify.auth([fastify.verifyJWT, fastify.verifyApiKey], { relation: 'or' })   // OR composition
-fastify.auth([fastify.verifyJWT, fastify.verifyAdmin], { relation: 'and' })   // AND composition
+fastify.auth([fastify.verifyJWT, fastify.verifyApiKey], { relation: 'or' }) // OR composition
+fastify.auth([fastify.verifyJWT, fastify.verifyAdmin], { relation: 'and' }) // AND composition
 ```
 
 Each plugin (`@fastify/bearer-auth`, `@fastify/basic-auth`, `@fastify/jwt`, `@fastify/oauth2`) decorates the instance with a verification function. Request decoration is each strategy's responsibility. `@fastify/jwt` supports namespaces for multiple configs (`request.accessVerify()` vs `request.refreshVerify()`). Context typing uses module augmentation (global).

docs/concepts/authentication.md

@@ -278,11 +278,11 @@ if (error) {
 
 ### AuthError
 
-| AuthError `type`   | Description                               |
-| ------------------ | ----------------------------------------- |
-| `'no_credential'`  | No resolver produced a credential         |
-| `'save_failed'`    | Credential resolved but failed to persist |
-| `'remove_failed'`  | Failed to remove the credential file      |
+| AuthError `type`  | Description                               |
+| ----------------- | ----------------------------------------- |
+| `'no_credential'` | No resolver produced a credential         |
+| `'save_failed'`   | Credential resolved but failed to persist |
+| `'remove_failed'` | Failed to remove the credential file      |
 
 ## Requiring Authentication
 
@@ -328,10 +328,7 @@ Apply the middleware to the root `middleware` array to enforce authentication on
 cli({
   name: 'my-app',
   version: '1.0.0',
-  middleware: [
-    auth({ resolvers: [auth.env(), auth.token()] }),
-    requireAuth,
-  ],
+  middleware: [auth({ resolvers: [auth.env(), auth.token()] }), requireAuth],
   commands: `${import.meta.dirname}/commands`,
 })
 ```

examples/advanced/README.md

@@ -64,11 +64,11 @@ Config values are loaded from a configuration file and accessible via `ctx.confi
 
 ## Middleware stack
 
-| Middleware  | Description                                                  |
-| ----------- | ------------------------------------------------------------ |
-| `http()`    | Standalone HTTP client with dynamic config-driven headers    |
-| `timing`    | Measures and logs command execution time                     |
-| `telemetry` | Tracks command invocations                                   |
+| Middleware  | Description                                               |
+| ----------- | --------------------------------------------------------- |
+| `http()`    | Standalone HTTP client with dynamic config-driven headers |
+| `timing`    | Measures and logs command execution time                  |
+| `telemetry` | Tracks command invocations                                |
 
 ### Standalone `http()` middleware
 

examples/authenticated-service/README.md

@@ -123,9 +123,9 @@ cli({
 
 ### Resolvers
 
-| Resolver        | Description                                                                 |
-| --------------- | --------------------------------------------------------------------------- |
-| `auth.oauth()`  | Opens browser, runs PKCE authorization code flow with local callback server |
+| Resolver       | Description                                                                 |
+| -------------- | --------------------------------------------------------------------------- |
+| `auth.oauth()` | Opens browser, runs PKCE authorization code flow with local callback server |
 | `auth.token()` | Falls back to interactive terminal input                                    |
 
 ### OAuth PKCE flow

examples/authenticated-service/api/server.ts

@@ -276,10 +276,7 @@ function handleAuthorizePage(
   res.end(html)
 }
 
-async function handleAuthorizeGrant(
-  req: IncomingMessage,
-  res: ServerResponse
-): Promise<void> {
+async function handleAuthorizeGrant(req: IncomingMessage, res: ServerResponse): Promise<void> {
   const raw = await readBody(req)
   try {
     const body = JSON.parse(raw) as {

packages/cli/src/commands/doctor.ts

@@ -188,10 +188,7 @@ function displayResults(
  * @param fixResults - The fix results to check for applied fixes.
  * @returns The formatted result line string.
  */
-function formatResultLine(
-  result: CheckResult,
-  fixResults: readonly FixResult[]
-): string {
+function formatResultLine(result: CheckResult, fixResults: readonly FixResult[]): string {
   const appliedFix = fixResults.find((f) => f.name === result.name && f.fixed)
 
   if (appliedFix) {
@@ -221,7 +218,8 @@ function formatDisplayStatus(status: CheckStatus | 'fix'): string {
     .with('pass', () => pc.green('pass'))
     .with('warn', () => pc.yellow('warn'))
     .with('fix', () => pc.blue('fix '))
-    .otherwise(() => pc.red('fail'))
+    .with('fail', () => pc.red('fail'))
+    .exhaustive()
 }
 
 /**

packages/cli/src/lib/detect.ts

@@ -102,4 +102,3 @@ async function readPackageJson(filePath: string): AsyncResult<PackageJson, Gener
     ]
   }
 }
-

packages/cli/src/lib/write.ts

@@ -92,4 +92,3 @@ async function writeSingleFile(
     ]
   }
 }
-

packages/core/CHANGELOG.md

@@ -11,17 +11,16 @@
   **Auth HTTP integration:** `auth({ http: { baseUrl, namespace } })` creates authenticated HTTP clients with automatic credential header injection. Supports single or multiple clients via an array.
 
   **Breaking changes:**
-
   - `http()` no longer auto-reads `ctx.auth.credential()`. Use `auth({ http })` for authenticated clients or pass `headers` explicitly.
   - `HttpOptions.defaultHeaders` renamed to `headers` and now accepts a function `(ctx) => Record<string, string>` in addition to a static record.
 
   Before:
 
   ```ts
   middleware: [
-    auth({ resolvers: [{ source: "env" }] }),
-    http({ baseUrl: "https://api.example.com", namespace: "api" }),
-  ];
+    auth({ resolvers: [{ source: 'env' }] }),
+    http({ baseUrl: 'https://api.example.com', namespace: 'api' }),
+  ]
   ```
 
   After:
@@ -30,9 +29,9 @@
   middleware: [
     auth({
       resolvers: [auth.env()],
-      http: { baseUrl: "https://api.example.com", namespace: "api" },
+      http: { baseUrl: 'https://api.example.com', namespace: 'api' },
     }),
-  ];
+  ]
   ```
 
 - f48ad38: Replace non-standard OAuth flow with spec-compliant PKCE (RFC 7636) and add Device Authorization Grant (RFC 8628)