Add client steps implementation to support existing functionalities

[alfonso-noriega]

Add build step infrastructure for extension asset management

WHY are these changes introduced?

This introduces a flexible build step system to handle various asset copying and processing needs for different extension types, replacing hardcoded build logic with configurable steps.

WHAT is this pull request doing?

• Adds 'admin' to the CONFIG_EXTENSION_IDS array for admin extensions
• Creates new build step executors:
  • executeIncludeAssetsStep - handles pattern-based, static, and config-key-driven asset copying with comprehensive test coverage
  • executeCopyStaticAssetsStep - copies static assets defined in extension build manifests
  • executeCreateTaxStubStep - generates minimal JavaScript stub files for tax calculation extensions
• Implements a centralized step router (executeStepByType) that dispatches to appropriate handlers based on step type
• Supports multiple inclusion strategies:
  • Pattern-based file selection using glob patterns
  • Static file/directory copying with optional destination paths
  • Configuration key resolution for dynamic path discovery
  • Configurable structure preservation and flattening options

How to test your changes?

1. Create an extension with various asset types (static files, pattern-matched files, config-driven paths)
2. Configure build steps using the new include_assets step type with different inclusion strategies
3. Run the build process and verify assets are copied correctly to output directories
4. Test with admin extensions to ensure they're recognized as config extensions
5. Run the comprehensive test suite for include-assets-step.test.ts

Measuring impact

How do we know this change was effective? Please choose one:

• n/a - this doesn't need measurement, e.g. a linting rule or a bug-fix

Checklist

• I've considered possible cross-platform impacts (Mac, Linux, Windows)
• I've considered possible documentation changes

[alfonso-noriega]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• Add client steps implementation to support existing functionalities #6966 : 2 dependent PRs (#6867 , #6941 ) 👈 (View in Graphite)
• Create abstract client steps infrastracture to externalize the ap modules client configurations #6965
• Clean up module outputFile calculation and move it to the specifications #6967
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

We detected some changes at packages/*/src and there are no updates in the .changeset.
If the changes are user-facing, run pnpm changeset add to track your changes and include them in the next release CHANGELOG.

Caution

DO NOT create changesets for features which you do not wish to be included in the public changelog of the next CLI release.

[github-actions]

Coverage report

St.❔	Category	Percentage	Covered / Total
🟡	Statements	77.28%	14707/19031
🟡	Branches	70.83%	7286/10287
🟡	Functions	76.28%	3733/4894
🟡	Lines	78.77%	13907/17655

Test suite run success

3836 tests passing in 1483 suites.

Report generated by 🧪jest coverage report action from 4feb5ae

[binks-code-reviewer]

Path traversal: include_assets can write outside outputDir

joinPath(outputDir, entry.destination) is used directly with user-controlled config (destination). If destination is absolute (/etc) or contains ../.., it can escape outputDir and overwrite arbitrary files on the machine running the build (CI runner, developer machine). Same class of issue exists for entry.baseDir (controls sourceDir), copySourceEntry(...destination) (static destination), copyConfigKeyEntry(...destination) (configKey destination), and copyConfigKeyEntry where the config value itself can be ../../something.

Because build manifests/config are extension-provided, a malicious extension (or compromised repo) could cause the CLI to overwrite sensitive files or poison other build artifacts.

[binks-code-reviewer]

🤖 Code Review · #projects-dev-ai for questions
React with 👍/👎 or reply — all feedback helps improve the agent.

✅ Complete - 2 findings

📋 History

❌ Failed → ✅ 1 findings → ❌ Failed → ❌ Failed → ✅ 1 findings → ✅ 2 findings