Migrate calm-suite projects from pnpm to npm workspaces

[rocketstack-matt]

Feature Proposal

Target Project:

calm-suite (calm-guard and calm-studio)

Description of Feature:

Both CALM Guard and CALM Studio were developed as standalone pnpm projects before being brought into the architecture-as-code monorepo (#2320). The rest of the monorepo uses npm workspaces for dependency management. The calm-suite projects should be migrated from pnpm to npm workspaces to align with the monorepo standard.

Currently the CI workflows for calm-suite install pnpm separately and run pnpm install --frozen-lockfile within their subdirectories. This works, but diverges from the pattern used by every other project in the monorepo (e.g. cli, shared, calm-hub-ui, calm-server, calm-widgets) which all use npm ci at the root and npm run <script> --workspace=<name>.

User Stories:

• As a contributor, I want npm ci at the root to install dependencies for all projects including calm-suite, so that I don't need to know about pnpm to work on any part of the monorepo
• As a maintainer, I want a single package manager across all projects so that dependency updates (Renovate/Dependabot), CVE scanning, and license scanning work uniformly
• As a CI engineer, I want calm-suite builds to follow the same workflow pattern as other projects so that workflows are consistent and easier to maintain

Current Limitations:

• npm ci at the root does not install calm-suite dependencies
• Calm-suite CI workflows require a separate pnpm setup step
• Root-level CVE scanning (cve-scanning-node.yml) and license scanning (license-scanning-node.yml) don't cover calm-suite packages
• Renovate/Dependabot may not detect or update calm-suite dependencies since they use pnpm-lock.yaml instead of the root package-lock.json

Proposed Implementation:

1. calm-guard (single Next.js app):

   • Remove pnpm-workspace.yaml if present
   • Add calm-suite/calm-guard to the root package.json workspaces array
   • Regenerate package-lock.json at root via npm install
   • Update build-calm-guard.yml to use npm ci + npm run <script> --workspace=calm-suite/calm-guard

2. calm-studio (pnpm monorepo with packages/ and apps/):

   • This is more complex as calm-studio is itself a pnpm workspace with multiple packages (@calmstudio/calm-core, @calmstudio/extensions, @calmstudio/mcp-server, @calmstudio/studio)
   • Remove pnpm-workspace.yaml
   • Add each sub-package to the root package.json workspaces array (e.g. calm-suite/calm-studio/packages/*, calm-suite/calm-studio/apps/*)
   • Verify inter-package references resolve correctly under npm workspaces
   • Regenerate root package-lock.json
   • Update build-calm-studio.yml and build-calm-studio-desktop.yml to use npm
   • Note: calm-studio includes a Tauri/Rust desktop app build which may need special attention

3. Post-migration cleanup:

   • Add calm-suite directories to cve-scanning-node.yml matrix
   • Add calm-suite directories to license-scanning-node.yml matrix
   • Verify Renovate/Dependabot picks up calm-suite dependencies

Alternatives Considered:

• Keep pnpm: The current approach works with working-directory scoping in CI, but creates a split ecosystem with two package managers, two lock file formats, and gaps in automated scanning/updates.
• Migrate to a nested npm workspace: Add only the top-level calm-suite dirs to root workspaces rather than flattening the calm-studio sub-packages. This would be simpler but may not resolve inter-package dependencies correctly.

Testing Strategy:

• Verify npm ci at root succeeds and installs all calm-suite dependencies
• Run full lint, typecheck, test, and build for both calm-guard and calm-studio
• Verify the Tauri desktop build still works (calm-studio)
• Verify E2E Playwright tests pass (calm-studio)
• Confirm CVE and license scanning workflows cover the new workspaces

Documentation Requirements:

• Update AGENTS.md files in calm-guard and calm-studio to reference npm instead of pnpm
• Update root AGENTS.md if build order or workspace list changes

Implementation Checklist:

• Migrate calm-guard to npm workspace
• Migrate calm-studio packages to npm workspaces
• Update CI workflows to use npm
• Add calm-suite to CVE scanning matrix
• Add calm-suite to license scanning matrix
• Verify Renovate/Dependabot coverage
• Update AGENTS.md documentation
• Tests written and passing
• Performance impact assessed

Additional Context:

Both projects were brought into the monorepo via #2320. The interim CI workflows (build-calm-guard.yml, build-calm-studio.yml, build-calm-studio-desktop.yml, automated-release-calm-studio.yml) use pnpm with working-directory scoping as a pragmatic first step. This issue tracks the follow-up work to fully integrate them into the npm workspace ecosystem.

[markscott-ms]

@rocketstack-matt there also the alternative: move from npm to pnpm. Some of the pros and cons are listed here https://pnpm.io/pnpm-vs-npm. Though that page is obviously biased to pnpm, we should research and decide which.

[opsflowanoop]

Gourav and I can look into this as well

[markscott-ms]

@opsflowanoop what do you propose - align to NPM, or PNPM?

[gjs-opsflo]

While we can go back to npm, I find pnpm to be much faster to work with (+ significantly less disk usage as I work on multiple projects) in addition to the other technical advantages shared by @markscott-ms. Since its not very difficult to migrate from npm to pnpm that could be considered for the larger project imho.

[markscott-ms]

@rocketstack-matt raised a concern in #2367 that some of the highly regulated FINOS member organisations may find it challenging to use pnpm versus the more widespread npm.

The same may be true of maven vs gradle [for CalmHub etc].

However, this only matters if they have a requirement to build from source, rather than download a prebuilt package. Proprietary integrations, extensions, authentications etc could be some of the reasons.