Overhaul CI/CD and quality assurance

[joao-onfleet]

Overview

Overhauls the project's quality assurance and CI setup. Before this change the test suite, library import, and dependency lockfile were all broken at HEAD (masked because CI only ran at release time on a pinned Node 20). This PR restores a working, gated baseline and adds coverage, lint enforcement, and PR-level CI.

Why

A QA audit found three compounding breakages at HEAD:

Area	Before
npm test	🔴 SyntaxError — failed to run
Library import (Node ≥22)	🔴 threw on import
package-lock.json	🔴 invalid JSON → npm ci/npm audit broke
Lint	🔴 215 errors, not wired to CI
PR-level CI	🔴 none (only release-time publish)
Coverage	🔴 not measured

Changes

CI / tooling

• New .github/workflows/ci.yml running on pull_request + push to master:
  • test across a Node 20 / 22 / 24 matrix
  • lint (blocking)
  • coverage (c8, enforces thresholds, uploads lcov.info)
  • audit (npm audit --audit-level=high)
  • Uses actions/checkout@v4 + setup-node@v4 with npm caching.
• Coverage tooling: added c8, npm run coverage, and .c8rc.json thresholds.

Fixes

• lib/onfleet.js: replaced the deprecated assert { type: 'json' } import attribute (removed in Node 22, also unparseable by ESLint 8) with a portable createRequire('../package.json'). Restores Node 22/24 support.
• package-lock.json: repaired invalid JSON (a missing },) so npm ci/npm audit work again.
• package.json overrides: scoped the blanket brace-expansion override per-major (@1/@2/@3/@4) so modern minimatch@10 (needs brace-expansion@^5) installs, while bumping the pins to ^1.1.13/^2.0.3 — which also closes a newer advisory (GHSA-f886-m6hf-6m8v) the original ^2.0.2 pin was exposed to.

Lint

• Reworked .eslintrc.json: env: node/es2022, a test/** override with env: mocha, corrected import/extensions for this ESM project (requires .js), and prefer-destructuring: {array:false}.
• Auto-fixed ~130 stylistic issues; hand-fixed the rest in Methods.js/onfleet.js (removed a useless try/catch, renamed a shadowed var, for…of→forEach). All behavior-preserving.
• npm run lint now exits 0 and is a required CI check.

Tests

• Added 16 nock-based tests covering the 6 previously-untested resources (Containers, Destinations, Hubs, Organization, Routeplan, Webhooks) + fixtures.
• Suite: 23 → 38 passing. Fixed a shared rate-limiter depletion cascade by returning x-ratelimit-remaining in mocks (mirrors the real API).

Verification

Gate	Result
npm run lint	🟢 0 errors
npm test	🟢 38 passing
npm run coverage	🟢 94.1% lines, thresholds met
npm ci	🟢 clean, lockfile in sync
npm audit --audit-level=high	🟢 0 high/critical
Library import (Node 22)	🟢 loads

Coverage: 94.1% lines/statements, 91.9% branches, 74.4% functions — all resource files at 100%.

Residual (non-blocking)

npm audit reports 1 moderate (js-yaml, via eslint/mocha — dev-only, never shipped). Its only fix is js-yaml 5.x (a breaking major those tools don't support), so it's deferred to an upstream eslint/mocha bump. Dependabot tracks it; the --audit-level=high gate stays green.

Follow-up (admin, after merge)

Enable branch protection on master requiring the new checks (Test (Node 20/22/24), Lint, Coverage, Security audit) — a gate is only as strong as its enforcement.

[cubic-dev-ai]

1 issue found across 15 files

Confidence score: 4/5

• In .github/workflows/ci.yml, not declaring an explicit permissions block leaves GITHUB_TOKEN at repository defaults, which can grant broader write access than intended and increase CI supply-chain blast radius if a job is compromised — add a top-level least-privilege permissions policy (and job-level overrides only where needed) before merging.

<sub>Shadow auto-approve: would not auto-approve because issues were found.

Re-trigger cubic</sub>

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

<sub>Shadow auto-approve: would require human review. PR includes significant source code refactors (removing try-catch, restructuring imports) alongside CI and tooling changes. These modifications to business logic files require human review to ensure no regressions.

Re-trigger cubic</sub>