chore: switch workspace to pnpm

.github/workflows/deploy.yml

@@ -17,19 +17,20 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
-      - run: npm ci
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
       - name: Resolve screenshot metadata
         run: |
           echo "APP_VERSION=$(git describe --tags --abbrev=0 2>/dev/null || printf 1.0.0)" >> "$GITHUB_ENV"
           echo "COMMIT_HASH=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
       - name: Build release screenshots
         env:
           PW_BROWSER_CHANNEL: chrome
-        run: npm --workspace @DarkAuth/test-suite run test:screenshots
+        run: pnpm --filter @DarkAuth/test-suite test:screenshots
       - name: Deploy release screenshots
         env:
           RELEASE_DEPLOY_STORAGE_ZONE: ${{ vars.RELEASE_DEPLOY_STORAGE_ZONE }}
@@ -41,14 +42,13 @@ jobs:
     needs: deploy-release-screenshots
     steps:
       - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
-      - run: npm ci
-      - run: |
-          cd packages/brochureware
-          npm run build
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm --filter @DarkAuth/brochureware build
       - run: |
           cd packages/brochureware
           node deploy.js
@@ -65,14 +65,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
-      - run: npm ci
-      - run: |
-          cd packages/docs
-          npm run build
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm --filter @DarkAuth/docs build
       - run: |
           cd packages/docs
           node deploy.js

.github/workflows/pr-checks.yml

@@ -23,15 +23,16 @@ jobs:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 1
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
-      - run: npm ci
-      - run: npm --workspace @DarkAuth/test-suite run pretest
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm --filter @DarkAuth/test-suite pretest
       - run: |
           cd packages/test-suite
-          COLOR_SCHEME=light PW_REPORTER=dot PW_ARTIFACTS=on npx playwright test tests/${{ matrix.suite }} --reporter=dot --workers=1 --retries=0 --output=test-results-light-${{ matrix.suite }}
+          COLOR_SCHEME=light PW_REPORTER=dot PW_ARTIFACTS=on pnpm exec playwright test tests/${{ matrix.suite }} --reporter=dot --workers=1 --retries=0 --output=test-results-light-${{ matrix.suite }}
       - uses: actions/upload-artifact@v4
         if: always()
         with:
@@ -55,15 +56,16 @@ jobs:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 1
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
-      - run: npm ci
-      - run: npm --workspace @DarkAuth/test-suite run pretest
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm --filter @DarkAuth/test-suite pretest
       - run: |
           cd packages/test-suite
-          COLOR_SCHEME=dark PW_REPORTER=dot PW_ARTIFACTS=on npx playwright test tests/${{ matrix.suite }} --reporter=dot --workers=1 --retries=0 --output=test-results-dark-${{ matrix.suite }}
+          COLOR_SCHEME=dark PW_REPORTER=dot PW_ARTIFACTS=on pnpm exec playwright test tests/${{ matrix.suite }} --reporter=dot --workers=1 --retries=0 --output=test-results-dark-${{ matrix.suite }}
       - uses: actions/upload-artifact@v4
         if: always()
         with:
@@ -81,14 +83,13 @@ jobs:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 1
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
-      - run: npm ci
-      - run: |
-          cd packages/brochureware
-          npm run build
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm --filter @DarkAuth/brochureware build
 
   test-docs:
     name: Docs Build
@@ -99,11 +100,10 @@ jobs:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 1
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
-      - run: npm ci
-      - run: |
-          cd packages/docs
-          npm run build
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm --filter @DarkAuth/docs build

.github/workflows/test.yml

@@ -33,9 +33,10 @@ jobs:
       PW_BROWSER_CHANNEL: chrome
     steps:
       - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
-      - run: npm ci
-      - run: npm run test -w @DarkAuth/api -w @darkauth/client -w @DarkAuth/md-to-pdf -w opaque-ts -w @DarkAuth/user-ui
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm --filter @DarkAuth/api --filter @darkauth/client --filter opaque-ts --filter @DarkAuth/user-ui test

.github/workflows/trigger-release.yml

@@ -19,15 +19,16 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
-      - run: npm ci
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
       - name: Create release
         env:
           GITHUB_TOKEN: ${{ github.token }}
-        run: npx -y semantic-release
+        run: pnpm exec semantic-release
       - name: Resolve release tag
         id: release_tag
         run: |
@@ -81,13 +82,14 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
-      - run: npm ci
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
       - name: Build release screenshots
-        run: npm --workspace @DarkAuth/test-suite run test:screenshots
+        run: pnpm --filter @DarkAuth/test-suite test:screenshots
       - name: Deploy release screenshots
         env:
           RELEASE_DEPLOY_STORAGE_ZONE: ${{ vars.RELEASE_DEPLOY_STORAGE_ZONE }}
@@ -194,24 +196,25 @@ jobs:
       RELEASE_TAG: ${{ needs.release.outputs.tag }}
     steps:
       - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
+          cache: 'pnpm'
           registry-url: 'https://registry.npmjs.org'
-      - run: npm ci
+      - run: pnpm install --frozen-lockfile
       - id: release_version
         run: echo "value=${RELEASE_TAG#v}" >> "$GITHUB_OUTPUT"
-      - run: npm version ${{ steps.release_version.outputs.value }} --no-git-tag-version -w @darkauth/client
-      - run: npm run build -w @darkauth/client
+      - run: pnpm --dir packages/darkauth-client version ${{ steps.release_version.outputs.value }} --no-git-tag-version
+      - run: pnpm --filter @darkauth/client build
       - id: published
         env:
           VERSION: ${{ steps.release_version.outputs.value }}
         run: |
-          if npm view @darkauth/client@"$VERSION" version >/dev/null 2>&1; then
+          if pnpm view @darkauth/client@"$VERSION" version >/dev/null 2>&1; then
             echo "exists=true" >> "$GITHUB_OUTPUT"
           else
             echo "exists=false" >> "$GITHUB_OUTPUT"
           fi
       - if: steps.published.outputs.exists != 'true'
-        run: npm publish -w @darkauth/client --provenance --access public
+        run: pnpm --dir packages/darkauth-client publish --provenance --access public --no-git-checks

AGENTS.md

@@ -16,4 +16,4 @@ Only the main top level thread/agent should follow these:
   - frontend-developer
   - security-auditor
   - test-writer
-- After making your change make sure you run the `npm run tidy` and `npm run build` when you have finished.
+- After making your change make sure you run the `pnpm tidy` and `pnpm build` when you have finished.

Dockerfile

@@ -5,21 +5,24 @@ ARG COMMIT_HASH=""
 ENV APP_VERSION=$APP_VERSION
 ENV COMMIT_HASH=$COMMIT_HASH
 RUN apk add --no-cache python3 make g++ git
-COPY package.json package-lock.json ./
+RUN corepack enable
+COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
 COPY packages ./packages
 COPY scripts ./scripts
-RUN npm ci
-RUN npm run build
-RUN npm prune --omit=dev --ignore-scripts
+RUN pnpm install --frozen-lockfile
+RUN pnpm run build
+RUN CI=true pnpm prune --prod && pnpm install --prod --frozen-lockfile --ignore-scripts
 
 FROM node:24-alpine
 WORKDIR /app
 ENV NODE_ENV=production
 RUN apk add --no-cache libstdc++
 COPY --from=builder /app/package.json ./package.json
-COPY --from=builder /app/package-lock.json ./package-lock.json
+COPY --from=builder /app/pnpm-lock.yaml ./pnpm-lock.yaml
+COPY --from=builder /app/pnpm-workspace.yaml ./pnpm-workspace.yaml
 COPY --from=builder /app/node_modules ./node_modules
 COPY --from=builder /app/packages/api/package.json ./packages/api/package.json
+COPY --from=builder /app/packages/api/node_modules ./packages/api/node_modules
 COPY --from=builder /app/packages/api/src ./packages/api/src
 COPY --from=builder /app/packages/api/drizzle ./packages/api/drizzle
 COPY --from=builder /app/packages/user-ui/package.json ./packages/user-ui/package.json

README.md

@@ -54,13 +54,13 @@ Or use an existing PostgreSQL instance and configure the `postgresUri` in `confi
 ### 2. Install Dependencies
 
 ```bash
-npm install
+pnpm install
 ```
 
 ### 3. Run Database Migrations
 
 ```bash
-npm run db:push
+pnpm db:push
 ```
 
 ### 4. Configuration
@@ -93,7 +93,7 @@ kekPassphrase: "your-strong-passphrase"
 #### Option A: Interactive Web Installer (Recommended)
 
 ```bash
-npm start
+pnpm start
 ```
 
 Visit the installation URL shown in the console (includes a one-time token).
@@ -106,13 +106,13 @@ The installer will guide you through:
 #### Option B: CLI Installation
 
 ```bash
-npm run install:script
+pnpm install:script
 ```
 
 ### 6. Start the Server
 
 ```bash
-npm start
+pnpm start
 ```
 
 ### 7. Access the System
@@ -127,7 +127,7 @@ Run with hot-reloading and Vite dev servers:
 
 ```bash
 # Set proxyUi: true in config.yaml for proxied development
-npm run dev
+pnpm dev
 ```
 
 This runs all three services concurrently:
@@ -144,7 +144,7 @@ This runs all three services concurrently:
 
 ### Project Structure
 
-DarkAuth is organized as a monorepo with npm workspaces:
+DarkAuth is organized as a monorepo with pnpm workspaces:
 
 ```
 packages/
@@ -326,19 +326,19 @@ use the existing old-password recovery flow or generate new keys.
 
 ```bash
 # Build all packages
-npm run build
+pnpm build
 
 # Type checking
-npm run typecheck
+pnpm typecheck
 
 # Linting
-npm run lint
+pnpm lint
 
 # Code formatting
-npm run format
+pnpm format
 
 # Start production server (ensure config.yaml is configured)
-npm start
+pnpm start
 ```
 
 ## Testing
@@ -347,19 +347,19 @@ The project uses Playwright for end-to-end testing:
 
 ```bash
 # Install Playwright browsers (first time only)
-npm run test:install
+pnpm test:install
 
 # Run all tests
-npm test
+pnpm test
 
 # Run with detailed output
-npm run test:report
+pnpm test:report
 
 # Run in headed mode (with browser UI)
-npm run test:headed
+pnpm test:headed
 
 # Debug tests
-npm run test:debug
+pnpm test:debug
 ```
 
 ## Security Considerations

agents/backend-developer.agent.md

@@ -30,5 +30,5 @@ Guardrails:
 - Do not add comments unless absolutely necessary.
 
 When finished you MUST:
-- Run `npm run tidy` and fix problems until it passes.
-- Run `npm run build` and fix problems until it passes.
+- Run `pnpm tidy` and fix problems until it passes.
+- Run `pnpm build` and fix problems until it passes.

agents/documentation-writer.agent.md

@@ -28,5 +28,5 @@ Guardrails:
 
 Done criteria:
 - Docs are accurate, updated, and easy to scan.
-- `npm run tidy` passes.
-- `npm run build` passes.
+- `pnpm tidy` passes.
+- `pnpm build` passes.

agents/frontend-developer.agent.md

@@ -30,5 +30,5 @@ Guardrails:
 
 Done criteria:
 - UI behavior matches backend contracts and existing user flows.
-- `npm run tidy` passes.
-- `npm run build` passes.
+- `pnpm tidy` passes.
+- `pnpm build` passes.

agents/test-writer.agent.md

@@ -30,5 +30,5 @@ Guardrails:
 
 Done criteria:
 - Tests prove expected behavior and prevent regressions.
-- `npm run tidy` passes.
-- `npm run build` passes.
+- `pnpm tidy` passes.
+- `pnpm build` passes.