Validate Windows distribution mode

[jsdavid278-cyber]

Fixes #598.

Changes:

• validate desktop-win distribution at runtime before package planning or shipping
• keep generated artifact selection and store URL logic based on the validated distribution
• add regression tests for invalid distribution in build and dry-run ship flows

Validation:

• vitest run packages/targets/desktop-win/src/index.test.ts
• tsc -p packages/targets/desktop-win/tsconfig.json --noEmit

[greptile-apps]

Greptile Summary

This PR adds runtime validation of the distribution config field for the Windows desktop target, ensuring only 'msstore', 'msi', or 'both' are accepted before any build planning or publish logic runs. It also wires two regression tests that verify invalid distributions are rejected in both the build and ship flows.

• A requireDistribution helper is introduced and called at the entry point of both buildPlan (used by build) and ship, so malformed config is caught before any filesystem writes or network calls.
• The URL-construction and artifact-extension selection in build/ship are updated to use the narrowed, validated distribution local rather than the raw config.distribution.
• Two new tests cover the invalid-distribution case; the ship test exercises only the dry-run path, which works correctly today but wouldn't catch a future regression that moved the guard past the dry-run early return.

Confidence Score: 4/5

Safe to merge; changes are small and well-scoped with no impact on valid-distribution code paths.

The implementation is correct — validation fires before any side effects in both build and ship. The log line in ship still references the raw config.distribution rather than the narrowed local, and the ship rejection test only exercises the dry-run branch, so a guard-ordering regression in the production path would go undetected. Neither issue affects current behavior.

Both changed files are straightforward; the test file is worth a second look to confirm the ship coverage intent.

Important Files Changed

Filename	Overview
packages/targets/desktop-win/src/index.ts	Adds requireDistribution guard called at the top of both build (via buildPlan) and ship; one minor inconsistency where ship logs the raw config.distribution instead of the validated local.
packages/targets/desktop-win/src/index.test.ts	Adds two regression tests for invalid distributions; the ship test only uses dryRun: true, which covers the validation path but would not catch a regression that relocated the guard past the dry-run early return.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[build or ship called] --> B[requireDistribution]
    B --> C{Valid distribution?}
    C -- No --> D[throw Error: must be msstore, msi, or both]
    C -- Yes --> E[return validated distribution]
    E --> F{dryRun?}
    F -- Yes in build --> G[write package-plan JSON and return artifact]
    F -- Yes in ship --> H[return id dry-run]
    F -- No in build --> I[select ext from plan.distribution and return artifact]
    F -- No in ship --> J[build Store URL from validated distribution and return]

Loading

_{Reviews (1): Last reviewed commit: "Validate Windows distribution mode" | Re-trigger Greptile}

[greptile-apps]

The log line still reads from config.distribution (the raw, pre-narrowed value) rather than the already-validated distribution local. While the two values are always equal after requireDistribution returns, using the unvalidated field here is inconsistent with how the rest of ship (and the entire build path) uses the narrowed local. If the log is ever moved above the requireDistribution call during a future refactor, an invalid distribution would be silently printed before the error is thrown.

Suggested change

	ctx.log(`publish ${config.appId}@${ctx.version} · distribution=${config.distribution}`);
	ctx.log(`publish ${config.appId}@${ctx.version} · distribution=${distribution}`);

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

Ship-rejection test only exercises the dry-run path

The new ship rejection test passes dryRun: true, which causes the production code to hit requireDistribution → throw before reaching the dryRun early return. That's correct and the test does verify the right thing. However, because the test never reaches the non-dry-run branch (the URL-construction logic), a regression that accidentally placed requireDistribution after the dryRun guard would not be caught — the test would still pass (dryRun short-circuits and never reaches the moved call). Consider adding a non-dryRun assertion or at least a comment explaining that validation intentionally fires before the dry-run check.