Preserve stale-spec guidance on atomic install failures

When execute-atomic-operations fails during listing install, the error is now propagated verbatim. This drops the listing-specific handling for the known stale-spec case (filter refers to a nonexistent type), so users get a low-level backend error instead of the actionable "Update Specs" instruction and can’t recover from install failures without manual debugging.

Useful? React with 👍 / 👎.

Validate fetched card JSON as single-card document

This check only verifies that a data key exists, then treats doc.data as a single card resource. If FetchCardJsonCommand returns a collection-style JSONAPI payload (data array) or another non-single shape, we will construct invalid atomic add operations instead of failing early, which makes installs fail later with harder-to-diagnose errors.

Useful? React with 👍 / 👎.

writtenFiles is derived via r.data?.id, which can yield undefined entries when the atomic-op result shape differs (or data is missing). Consider filtering out falsy ids (or validating the result shape) before logging so the debug output accurately reflects what was written.

moduleInspectorView is cast to 'schema' | 'spec' | 'preview' without runtime validation. Since the input card field is a plain StringField, an unexpected value can still be passed through and persisted to localStorage, potentially breaking later reads of the selection. Consider validating the input against the allowed set and throwing a clear error for invalid values instead of using a type cast.

SanitizeModuleListCommand currently assumes every entry in input.moduleUrls is a valid absolute URL. new URL(m) will throw on any invalid/relative value, which will abort the entire command rather than filtering the bad entry (the previous inline sanitizers used try/catch per dep). Consider wrapping URL parsing/normalization in a per-item try/catch and skipping invalid module URLs instead of failing the whole command.

AuthedFetchCommand swallows JSON parse errors and still returns { ok: true, body: {} } when response.ok but the body isn't valid JSON. This can mask server issues and lead callers to proceed with an empty object. Consider either (a) returning the raw text when JSON parsing fails, (b) exposing a parseError/isJson flag, or (c) treating "ok" as false (or throwing) when an acceptHeader indicates the caller expects JSON but parsing fails.

GetRealmOfUrlCommand calls new URL(input.url) without handling parse failures. Since this command is used as part of module/dependency sanitization, a single invalid/relative URL string would throw and interrupt the whole flow. Consider catching URL construction errors and returning an empty realmUrl (or a non-ok result) instead of throwing.

getCatalogRealm() can return undefined, but the result is interpolated into the adoptsFrom module URL. If no catalog realm is found, this will generate a malformed URL like undefinedcatalog-app/... and lead to hard-to-debug downstream errors. Consider validating catalogRealm and throwing a clear error when it is missing (or falling back to a known default).

The new document-shape check (!doc || !('data' in doc)) is much weaker than the previous isSingleCardDocument validation. This can allow non–single-card documents (or unexpected shapes) through and then build atomic operations with invalid data, causing server-side failures or corrupted writes. Consider restoring isSingleCardDocument (or an equivalent structural check) before mutating/using doc.data.

ListingInstallCommand previously translated a known atomic-ops failure (filter refers to a nonexistent type) into a more actionable, user-facing error. With the refactor to ExecuteAtomicOperationsCommand, that special-case is lost and users may now see a low-level server detail. Consider reintroducing that mapping either here (around the execute call) or inside ExecuteAtomicOperationsCommand so the UX doesn't regress.