fix(extensions): remove silent @swamp/ datastore auto-update (swamp-club#478)

[stack72]

Summary

Closes swamp-club#478 — the first-party residual (finding ADV-13) identified during #465's autoupdate audit.

Datastore was the only extension kind that silently force-pulled registry-latest within a 24h window (maybeAutoUpdateDatastoreExtension, introduced by #942). Every other kind — models, workflows, vaults, drivers, reports — is pinned to the committed upstream_extensions.json lockfile (hardened by #465), reports available updates non-destructively via swamp extension list / swamp extension outdated, and moves version only on an explicit swamp extension pull / swamp extension update.

This PR removes the datastore anomaly rather than gating it behind a config flag, bringing datastores in line with every other kind. After this change no extension kind auto-updates — closing ADV-13 with no residual and no new config surface.

Changes

• Delete src/libswamp/extensions/datastore_auto_update.ts and its test.
• Remove maybeAutoUpdateSwampDatastore, buildLocalEditsWarning, the 4 call sites, and the now-dead imports from src/cli/resolve_datastore.ts (datastore resolution now matches every other kind: resolveDatastoreType (lockfile-pinned) → createProvider, no registry round-trip).
• Remove the 3 datastore-auto-update re-exports from the libswamp barrel.
• Trim the buildLocalEditsWarning test + unused imports from resolve_datastore_test.ts.
• Reword two stale comments in extension_list_freshness.ts that referenced the deleted file.
• Update design/extension.md: the 24h cache is no longer "used by datastore auto-update"; added a line clarifying the freshness surfaces never auto-pull.

Shared machinery is retained — extension_update_check_cache, checkExtensionVersion, FileExtensionUpdateCheckRepository, local-edits detection, and the freshness composer all have other live consumers (extension list / outdated / update / open).

Net: −579 lines.

Relationship to prior work

• Effectively reverts feat: auto-update @swamp/ datastore extensions once per day #942 (which closed feat: auto-update @swamp/ datastore extensions once per day #939's request for daily datastore freshness). The visibility feat: auto-update @swamp/ datastore extensions once per day #939 wanted is preserved by the extension list / outdated freshness surfaces; only the silent pull is removed.
• The local-edits protection (Issue 11: Remove deprecated artifact entities and repositories #126) is not lost — it still guards explicit swamp extension pull --force, which is now the only way a datastore moves version.

Test Plan

• deno fmt --check, deno lint, deno check — clean
• deno run test src/cli/resolve_datastore_test.ts — 23 passed
• deno run test — 6444 passed; 1 unrelated pre-existing flake (integration/workflow_test.ts model-delete/workflow --json stdout parse under full-suite parallelism), which passes 33/33 in isolation and touches no datastore code
• deno run compile — binary builds

Follow-ups (not in this PR)

• Check the swamp-club manual for any "datastores auto-update daily" copy and fold into fix: prevent symlink path traversal in file writes #481 or file a fresh docs issue.

🤖 Generated with Claude Code

[github-actions]

CLI UX Review

Blocking

None.

Suggestions

None.

Verdict

PASS — This PR removes silent datastore auto-update behavior with no visible UX regressions. The user-facing extension surfaces (swamp extension list, swamp extension outdated, swamp extension pull) are untouched. The deleted buildLocalEditsWarning message was only reachable via the now-removed auto-update code path. The extension_list_freshness.ts changes are comment-only; the updateStatus output shape and values are identical. Users who want datastore updates now run swamp extension pull explicitly, which is more predictable than the previous silent behavior.

[github-actions]

Adversarial Review

This PR removes the silent datastore auto-update path (maybeAutoUpdateDatastoreExtension and all call sites), aligning datastores with every other extension kind that only moves version on explicit user action.

Critical / High

None found.

Medium

None found.

Low

1. src/cli/resolve_datastore.ts — resolve import removed but join retained: The resolve import was only used by the deleted maybeAutoUpdateSwampDatastore function. Its removal is correct and the remaining join import is still used throughout the file. No issue — just noting completeness of the cleanup.

2. Design doc phrasing (design/extension.md:121): "no extension kind is auto-pulled or upgraded as a side effect" is a strong invariant claim. If a future PR introduces auto-pull for any kind, this line will need updating. Not a code bug — just a documentation maintenance note.

Verdict

PASS — Clean, mechanical deletion with no dangling references, no broken imports, and no behavioral regressions. All 4 call sites removed, both source files and their tests deleted, barrel exports trimmed, and stale comments updated. The shared infrastructure (extension_update_check_cache, checkExtensionVersion, FileExtensionUpdateCheckRepository, local-edits detection) is correctly retained as it has other live consumers. grep confirms zero remaining references to any deleted symbol across the codebase.

[github-actions]

Code Review

Clean removal of the datastore auto-update anomaly. The PR is well-scoped and thorough.

Blocking Issues

None.

Suggestions

None — this is a clean deletion. All references to the removed code have been eliminated:

• datastore_auto_update.ts and its test deleted entirely
• maybeAutoUpdateSwampDatastore, buildLocalEditsWarning, and all 4 call sites in resolve_datastore.ts removed
• resolve correctly dropped from the @std/path import (only join remains)
• assertStringIncludes and buildLocalEditsWarning removed from test imports
• libswamp barrel re-exports removed
• Stale comment references in extension_list_freshness.ts updated
• Design doc updated to clarify no extension kind auto-pulls
• No dangling references remain anywhere in the codebase
• Shared machinery (extension_update_check_cache, checkExtensionVersion, FileExtensionUpdateCheckRepository, local-edits detection) correctly retained for live consumers

The libswamp import boundary is respected — resolve_datastore.ts (a CLI module) no longer imports from src/libswamp/mod.ts for this feature, and the barrel no longer exports the deleted types.

Net −579 lines with a clear security improvement (closing ADV-13).