build(deps-dev): bump @commitlint/cli from 20.5.3 to 21.0.0#84
Closed
dependabot[bot] wants to merge 16 commits into
Closed
build(deps-dev): bump @commitlint/cli from 20.5.3 to 21.0.0#84dependabot[bot] wants to merge 16 commits into
dependabot[bot] wants to merge 16 commits into
Conversation
# OCH v1.0 — M1 + M2 Closes: roadmap M1 + M2. Branch: `feat/v1-m1-m2` → `main`. Pair repo: https://github.com/theagenticguy/opencodehub-testbed (new, initial commit `cc4ea22`) ## M1 — Stabilize (14 commits) - **T-M1-1** Dirty-tree guard on analyze fast-path — `d3fa11b`, `b5e7068`, `fcdd9c9` - **T-M1-2** `loadPreviousGraph` full nodes+edges snapshot — `7b100fd`, `cca3c34`, `7ebe4eb` - **T-M1-3** Embedder content-hash skip — `3cfb0cf`, `cca3c34`, `8576f53` - **T-M1-4** SARIF symbol-level linkage — `5713b20`, `96a4415`, `927bde7` - **T-M1-5** Delete 5 canned MCP prompts (BREAKING) — `73d1375`, `b95cc90`, `a6a210f` ## M2 — Repo split + policy + wiki-split (14 commits) - **T-M2-1** `opencodehub-testbed` repo + fixtures/evals/gyms extracted — `53d9b88`, `f6f5f68`, `908afd3` - **T-M2-2** Delete `codehub eval-server` (BREAKING) — `dde00ba`, `5ac7473` - **T-M2-3** Delete `packages/docs` Starlight site (moves to separate repo) — `193f23e`, `49673af` - **T-M2-4** `@opencodehub/policy` v1 (loader + evaluator + CLI wiring) — `7aba821`, `02c9e61`, `1e89b4e`, `9bf34a7` - **T-M2-5** `@opencodehub/wiki` split from analysis — `289b122`, `09e076c`, `f1de0cf` ## Metrics - **LOC delta**: +3,594 / −28,183 (net −24,589) - **File count**: 970 → 800 (−170; below the packet's <600 aspirational target — `packages/ingestion` at 249 files dominates and is request-time core) - **Packages**: 16 → 14 (−eval, −gym, −docs; +policy, +wiki) - **Tests**: cli 216, ingestion 579, mcp 137, analysis 114, scanners 80, embedder 70, core-types 65, storage 56, sarif 55, policy 29 (new), search 23, wiki 15 (new), scip-ingest 10 = **1,449 pass / 0 fail** - **`mise run check`**: ✅ exit 0 at HEAD - **graphHash byte-identity**: preserved across M1+M2 - **Opus validate gate (M1)**: PASS-WITH-CONCERNS (3 non-blocking followups documented) ## Breaking changes - MCP `ListPrompts` now returns empty (5 canned prompts removed; reimplemented as Claude Code skills in M3+) - CLI `codehub eval-server` removed (move to the testbed repo's nightly workflow) - `packages/docs` removed from monorepo (moved to separate repo; `docs/adr/` at root stays) - `packages/eval` + `packages/gym` + `bench/` moved to `opencodehub-testbed` - `@opencodehub/analysis` wiki re-exports marked `@deprecated` — import from `@opencodehub/wiki` going forward ## Architecture changes - **Wiki/analysis cycle break** (T-M2-5): `WikiOptions.loadTrends` is now a caller-injected callback (CLI wires `computeRiskTrends + loadSnapshots`). Preserves byte-identical wiki output. Breaks composite-project cycle. - **Policy v1** (T-M2-4): 3 rule types (`license_allowlist`, `blast_radius_max`, `ownership_required`). `codehub verdict` folds policy decision into output + exit code. v1 only `blast_radius_max` is actively enforced (license + changed-paths inputs are follow-ups). - **SARIF symbol-level linkage** (T-M1-4): findings now produce `FOUND_IN` edges keyed on enclosing-symbol id, not file id. ## Followups (non-blocking, filed separately) 1. **C1**: `stringArrayField` empty-array round-trip inconsistency (storage) 2. **C2**: `step=0` reader/writer asymmetry in graph edge handling 3. **C3**: widen `@internal` TSDoc coverage on test-only exports in `analyze.ts` 4. **Replacement skills** for 5 deleted MCP prompts (M3+) 5. **Bootstrap `opencodehub-docs` repo** (docs moved out, repo not yet created) 6. **Policy v1 inputs**: surface SBOM license audit + changed paths in `verdict` context so `license_allowlist` and `ownership_required` rules become load-bearing
# OCH v1.0 — M3 + M4
Closes: roadmap §M3 (graph-db phase-1) + §M4 (language expansion +
framework detection + COBOL).
Branch: `feat/v1-m3-m4` → `main`.
## M3 — Graph-db backend (LadybugDB phase-1, opt-in via
`CODEHUB_STORE=lbug`)
- **AC-M3-1** `GraphDbStore` scaffolding — `ca474a4`, `afc8f9b`,
`fb0174c`
- **AC-M3-2** Pool adapter + 100-way concurrency — `2d02f3c`, `0e5c1d9`
- **AC-M3-3** Schema translation + bulkLoad round-trip — `ac1e9e9`,
`1984e2a`, `6861005`, `3257b6e`
- **AC-M3-4** graphHash parity CI gate (3 fixtures × DuckDB ↔
GraphDbStore) — `8ceced4`
- **AC-M3-5** `sql` MCP tool dual-emit (sql | cypher) + `cypher-guard` —
`e04c92d`, `6147c4a`
- **AC-M3-6** ADR 0011 documenting swap rationale, schema choice,
3-phase plan — `9deda1c`
## M4 — Language expansion + framework detection + COBOL
- **AC-M4-0** `codehub setup --scip=<tool>` binary downloader + pins —
`04a2614`, `184ad6d`
- **AC-M4-1** scip-clang adapter (v0.4.0) — `1ee68c7` (flag shape +
platform matrix corrected from upstream source)
- **AC-M4-2** scip-ruby adapter (v0.4.7) — `3fc3930` (upstream ships 2
platforms, not 4)
- **AC-M4-3** scip-dotnet adapter (v0.2.12) — `60c86df` (requires .NET
SDK 8+ on PATH)
- **AC-M4-4** scip-kotlin adapter (v0.6.0) — `af3e431` (Maven Central
JAR, NOT native binary — 2-stage kotlinc plugin flow)
- **AC-M4-5** COBOL regex hot path — `d650603`, `809ebbb`, `723f608`,
`6959031` (p50 ~0.5 ms on 1,121-line fixture)
- **AC-M4-6** COBOL ProLeap v4 deep-parse (gated by
`--allow-build-scripts=proleap`) — `ea82563`, `db53b3d`, `a16abbd`,
`46dc332`, `b47e6e6`, `bc77f59`
- **AC-M4-7** `@opencodehub/frameworks` package extraction + stages
2/3/5 — `fb2bf02`, `d4a1d2a`, `10e0960`, `ea799d9`, `bc497d8`,
`4b1e9ee`, `2e8b2e0`
## Incidental fixes + housekeeping
- `d4457f4` Reconcile `commitlint.config.mjs` scope-enum (add
`cobol-proleap`, `frameworks`, `scip-ingest`; drop dead `gym`, `eval`,
`lsp-oracle`)
- `ade6b1f` Persist v1.0 roadmap at `.erpaval/ROADMAP.md` (was only in
conversation context pre-M3 kickoff)
- `69cab74` Close an exhaustive-switch gap in `scip-index.ts` for the
new Kotlin kind
- `645c9b4` Relax COBOL-regex p50 budget from 1ms → 2ms for
shared-runner stability
- `9655bc4` Fix placeholder-pin refusal test after all adapter pins
landed real hashes
- Pre-existing ESM `require("node:fs")` bug in `resolveTypeScriptRoot`
fixed (3 adapter agents independently caught + fixed the same latent
bug)
## Metrics
- **File count**: 831 → 860 (+29 — new `graphdb-*.ts`, `cobol-regex.ts`
+ fixtures, `cypher-guard.ts`, scip-* adapter tests,
`graph-hash-parity.test.ts`, `@opencodehub/frameworks`,
`@opencodehub/cobol-proleap`, ADR 0011)
- **Commits**: 41 atomic commits (preserved via cherry-pick; 7 parallel
worktree agents in Wave 0 + 6 in Wave 1 + 4 sequential in Wave 2)
- **LOC delta**: +15,170 / −1,259 (net +13,911)
- **Packages**: 15 → 17 (added `@opencodehub/frameworks`,
`@opencodehub/cobol-proleap`)
- **Test count**: 1,449 → 1,739 (+290)
- **`mise run check`**: ✅ exit 0 at HEAD
- **graphHash parity**: ✅ `DuckDbStore` ≡ `GraphDbStore` on 3 fixtures
(small 8 / medium 61 / large 526 nodes; 24-edge-kind sweep; 2.1s
runtime)
- **Banned-literal sweep**: 0 hits in live source; `@ladybugdb/core`
scoped package identifier allowlisted
- **MCP tool surface**: 28 tools (unchanged — `sql` tool gained optional
`cypher` input)
## Architecture decisions
- **Polymorphic rel-table-per-edge, NOT single rel-table with `type`
column** — ADR 0011 documents rationale (columnar predicate pushdown;
idiomatic Cypher). Supersedes the original roadmap wording.
- **Source-level naming avoids banned literals** — `GraphDbStore` /
`graphdb-*.ts` / `ProcessStep` (never `STEP_IN_PROCESS`); package dep
`@ladybugdb/core` allowed under package-scope precedent
- **24 edge kinds** in the current schema (not 21 as drafted in spec 004
— `OWNED_BY`, `DEPENDS_ON`, `FOUND_IN` added by M2)
- **`docs/adr/` excluded from banned-strings scan** — ADRs name vendored
tools in architectural-history prose
- **Hard dep on `@ladybugdb/core@^0.16.1`** (not optional peer) — per
user direction 2026-05-05
- **ProLeap JAR fetched on-demand** via `codehub setup --cobol-proleap`
(git clone + mvn install + javac) — no vendored JAR
## Breaking changes
- `FrameworkDetection.signals` → `FrameworkDetection.evidence[]`
(structured `{stage, source, detail}`) — back-compat shim preserved at
`packages/ingestion/src/pipeline/profile-detectors/*` re-exporting from
`@opencodehub/frameworks`
- `scip-kotlin` no longer rides on tree-sitter-only detection when
`.kt`/`.kts` files are present — promoted to its own SCIP adapter
(tree-sitter-kotlin stays as grammar-level fallback)
## Non-breaking additions
- `CODEHUB_STORE=lbug` opt-in env var (default `duck`, unchanged)
- `codehub setup --scip=<tool>` / `--scip=all` subcommand
- `codehub setup --cobol-proleap` subcommand
- `codehub analyze --allow-build-scripts=proleap` CLI flag
- `sql` MCP tool gains optional `cypher` input
## Followups (non-blocking)
- **M5 deterministic code-packs** — `@opencodehub/pack` with 9-item BOM,
PageRank extraction from `packages/scip-ingest/src/materialize.ts` dead
code, `codehub code-pack` CLI + MCP tool, byte-identity determinism test
(depends on this milestone)
- **M6 cross-repo federation** — `Repo` entity, `group_*` MCP tools,
`codehub-contract-map` skill
- **M7 flip default `CODEHUB_STORE=lbug`** — after M5+M6 adoption
signal; DuckDB retained for temporal analytics only
- **AC-M4-7 stage composition** — stages 2/3/5 plumbed but not yet
folded into per-framework `Evidence[]` in the dispatcher; caller
orchestrates. Small wiring follow-up.
- **Kotlin `scip-kotlin` 2-stage flow end-to-end smoke test** — adapter
shipped, CI fixture not yet
- **Scip-dotnet SDK 8+ install hint** surfacing in `codehub doctor`
- **ProLeap JVM batching** — current v1 amortizes JVM startup per
`runIndexer` call; a longer-running JVM daemon is a perf improvement for
large COBOL repos
## Summary One PR that takes in all 10 open Dependabot bumps so pnpm-lock only has to resolve once. All versions match the Dependabot PRs exactly. Bumps are drops-in — no code changes needed. ### Closes - Closes #67 — `@aws-sdk/client-sagemaker-runtime` 3.1035.0 → 3.1043.0 (`packages/embedder`) - Closes #66 — `fast-xml-parser` 5.7.2 → 5.7.3 (`packages/ingestion`) - Closes #65 — `@aws-sdk/client-bedrock-runtime` 3.1040.0 → 3.1043.0 (`packages/ingestion`, `summarizer`, `wiki`) - Closes #63 — `lru-cache` 11.3.5 → 11.3.6 (`packages/mcp`) - Closes #62 — `yaml` 2.8.3 → 2.8.4 (`packages/frameworks`, `sarif`, `cli`, `policy`) - Closes #60 — `@commitlint/config-conventional` 20.5.0 → 20.5.3 (root devDep) - Closes #59 — `zod` 4.3.6 → 4.4.3 (`packages/frameworks`, `mcp`, `sarif`, `policy`, `summarizer`) - Closes #57 — `snyk-nodejs-lockfile-parser` 2.7.0 → 2.7.1 (`packages/ingestion`) - Closes #56 — `onnxruntime-node` 1.24.3 → 1.25.1 (`packages/embedder`) - Closes #55 — `@biomejs/biome` 2.4.13 → 2.4.14 (root devDep) Mise pins (`node = "22"`, `pnpm = "10.33.2"`, `python = "3.12"`, `uv = "latest"`) left alone — none of the Dependabot PRs touch them and a pnpm 10→11 jump would be a major change out of scope. ## Test plan - [x] `pnpm install` resolves cleanly, lockfile regenerates without workarounds - [x] `pnpm -r clean && pnpm -r build` succeeds (all workspace packages build) - [x] `pnpm -r exec tsc --noEmit` passes (14 stale-`dist` errors in `packages/search` were pre-existing on main before a fresh build and clear after) - [x] `pnpm -r test` passes (225 CLI tests + 150 MCP tests + rest; the 2 earlier MCP failures were stale `dist/tools/pack-codebase.test.js` leftovers from a prior branch's build and disappeared after `pnpm -r clean`) - [x] `pnpm run lint` passes (biome 2.4.14 surfaces 6 warnings / 1 info on existing test code, non-blocking) - [x] `pnpm run banned-strings` passes - [x] `lefthook` pre-commit + commit-msg + pre-push hooks all green ## Notes - Root `pnpm.onlyBuiltDependencies` was **not** touched by this change — preserved `onnxruntime-node`, `@duckdb/node-api`, tree-sitter natives, etc. exactly as they were. - The `fast-xml-parser@<5.7.0: 5.7.1` override is still in `package.json` for transitive resolution of older versions — left intact.
## Summary Flips `@opencodehub/ingestion` from **native-default** to **WASM-default** parser so Node 24 becomes a first-class CI target. Native `tree-sitter` stays fully supported as an opt-in via `OCH_NATIVE_PARSER=1` / `--native-parser` for Node 22 dev speed. The upstream blocker for native on Node 24 is [`tree-sitter/node-tree-sitter#276`](tree-sitter/node-tree-sitter#276) — the 0.25.1 fix merged upstream but has been blocked on an npm OIDC publish misconfiguration since mid-2025. Rather than wait indefinitely, WASM path (which has no native ABI dependency) becomes the default. ### What this closes - **Closes #19** — `@types/node` was already bumped to 25.x in a prior PR; the real ask behind #19 was "get Node 24 runnable in CI" — delivered here. - **Closes #23** — Node 24 in the `test` matrix, unblocked. ## What changed ### Runtime dispatch - `packages/ingestion/src/parse/parse-worker.ts` — inverted: WASM runs by default; native is opt-in. Startup warning emits for **both** runtimes so runtime choice is always logged. - `packages/cli/src/index.ts` — `--wasm-only` → `--native-parser` (inverse meaning). - `packages/ingestion/src/parse/parse-worker.test.ts` (new) — 5 unit tests covering all dispatch branches. ### Grammar resolution - `packages/ingestion/src/parse/wasm-fallback.ts` — two-stage cascade in `resolveGrammarWasmPath`: 1. Per-grammar package lookup (11 languages that ship `.wasm` alongside `.node`) 2. Vendored-WASM fallback for kotlin/swift/dart at `packages/ingestion/vendor/wasms/` - PHP mapping now uses `tree-sitter-php_only.wasm` to match the native loader's `mod.php_only` choice at `grammar-registry.ts:253` (previously a silent native-vs-WASM divergence). ### Vendored WASM artifacts (new) - `packages/ingestion/vendor/wasms/{kotlin,swift,dart}.wasm` — 8.1 MB total, built from the exact grammar sources pinned in `package.json` (zero drift). - `packages/ingestion/vendor/wasms/{README,LICENSES}.md` — build provenance + MIT attribution for the three upstream grammars. - `scripts/build-vendor-wasms.sh` — reproducible rebuild via docker / podman / finch (as docker shim) / local emcc + tree-sitter-cli. ### Why not the `tree-sitter-wasms` npm catalog? Investigated and **rejected**: its 0.1.13 artifacts were built with `tree-sitter-cli@0.20.x` and ship the legacy `dylink` custom section (6 bytes). `web-tree-sitter@0.26+` hard-requires the standardized `dylink.0` (8 bytes) and throws `Error: need the dylink section to be first`. See ADR 0013 for byte-level verification and `.erpaval/solutions/architecture-patterns/tree-sitter-wasms-catalog-incompat.md` for the durable lesson. ### Complexity phase degradation - `packages/ingestion/src/pipeline/phases/complexity.ts` — the cyclomatic-complexity phase has an independent native-only `requireFn("tree-sitter")` path that cannot use WASM. Now emits a one-shot stderr warning when native is unavailable instead of silently returning `undefined`. ### Parity test expansion - `packages/ingestion/src/parse/wasm-parity.test.ts` — extended from 3 to 14 tree-sitter languages (COBOL stays out, it's regex-only). Hard `assert.ok(isNativeAvailable())` softened to per-test `skip` so the suite runs clean on Node 24 CI as a no-op. ### CI matrix - `.github/workflows/ci.yml` — `test` job now runs `[ubuntu, macos, windows] × [22, 24]` via `MISE_NODE_VERSION`. Node 22 rows install with scripts + set `OCH_NATIVE_PARSER=1` (exercises native path); Node 24 rows use `--ignore-scripts` + leave env unset (exercises WASM default). ### Security fixes (surfaced by OSV rescan) Two pre-existing transitive vulns closed in passing via `pnpm.overrides`: - `fast-xml-builder@<1.1.7 → 1.1.7` (GHSA-5wm8-gmm8-39j9 CVSS 8.7, GHSA-45c6-75p6-83cc CVSS 6.1) — transitive via `@aws-sdk/core` - `fast-uri@<3.1.2 → 3.1.2` (GHSA-v39h-62p7-jpjc CVSS 7.5, GHSA-q3j6-qgpj-74h6 CVSS 7.5) — transitive via `ajv` Both were present on `main` before this PR; added overrides because the rescan caught them and it costs 2 lines to close. ### Docs + lessons - `docs/adr/0013-parse-runtime-wasm-default.md` — architectural decision record - `CLAUDE.md` — new section documenting `OCH_NATIVE_PARSER`, vendored WASMs, complexity.ts caveat - `.erpaval/solutions/` — three Compound lessons (WASM catalog incompat, pnpm-on-EFS, finch as docker shim) - `.erpaval/INDEX.md` — updated pointers ## Test plan - [x] `pnpm -r clean && pnpm -r build && pnpm -r exec tsc --noEmit && pnpm -r test` — green on Node 22 WASM default (572/572 ingestion, 225/225 CLI, all other packages green) - [x] `OCH_NATIVE_PARSER=1 pnpm --filter @opencodehub/ingestion test` — green (regression gate, 572/572) - [x] `pnpm run lint && pnpm run banned-strings` — green - [x] Simulated native-missing: all 15 parity iterations skip cleanly with descriptive reason, suite exit 0 (proves Node 24 CI won't fail on the parity test) - [x] `osv-scanner scan source --lockfile=pnpm-lock.yaml` — **No issues found** - [x] L2 code review (opus): 4 findings surfaced, 3 fixed in-branch (comment precision, MIT attribution, Node 24 CI `--ignore-scripts`), 1 accepted (ruby `#match?` predicate coverage gap, non-blocker) - [ ] CI matrix all-green on push — verify before merge ## Session trace `.erpaval/sessions/session-b4fcc7/` — full classifier trace, explore + research packets, per-AC work logs, validation verdict, extracted lessons.
## Summary
- **M5 (Deterministic code-packs)** — ships `@opencodehub/pack`, the
`codehub code-pack` CLI subcommand, the `pack_codebase` MCP tool routed
through pack by default, and the `codehub-code-pack` skill. Output is a
9-item BOM (manifest + skeleton + file-tree + deps + ast-chunks + xrefs
+ optional embeddings.parquet + findings + licenses+readme)
byte-identical given `(commit, tokenizer, budget, chonkie_version,
duckdb_version)`. Locked into CI by
`packages/pack/src/pack-determinism.test.ts` (5 variants) +
`scripts/pack-determinism-audit.sh` (acceptance gate 16).
- **M6 (Cross-repo federation)** — first-class `RepoNode` (9 attrs) in
the graph; structured `AMBIGUOUS_REPO` with `choices[]`/`total_matches`
+ `repo_uri` alias; `group_cross_repo_links` MCP tool + cross-repo links
in `codehub-document --group`; AGENTS.md/CLAUDE.md cross-refs to ADR
0012 + worked retry example; ADR 0012 (393 lines) captures the rationale
+ graphHash invariant W-M6-1.
- 18 commits ahead of `main`, 1950/1951 tests passing (1 pre-existing
skip), `mise run check` green, banned-strings green, AGENTS↔CLAUDE
byte-identical sync verified.
Spec: `.erpaval/specs/005-m5-m6/spec.md` (12 ACs delivered, 4 spec
drifts resolved inline).
## What landed
### M5 — Wave 1+2+3
| AC | Commit | What |
|---|---|---|
| AC-M5-0 | `c0890fa` (pre) | `pack` added to commitlint scope-enum |
| AC-M5-1 | `1775500` (pre) | `@opencodehub/pack` workspace scaffold |
| AC-M5-2 | `4e5d6f8` (pre) | Lift PageRank from scip-ingest → analysis
|
| AC-M5-3 | `bc5fd99` (pre) | BOM manifest + packHash helper (RFC 8785
canonical JSON) |
| Drift 1 | `77f37c3` | Switch chonkie dep → `@chonkiejs/core@^0.0.9`
(npm `chonkie-ts` is a squatter) |
| AC-M5-3a | `018c253` | `IGraphStore.listNodes(opts?: {kinds, limit,
offset})` on DuckStore + GraphDbStore |
| Drift 4 | `9d8d570` | Lift `classifyDependencies` mcp → analysis
(cycle-break) |
| AC-M5-4 | `072a062` | BOM 2-4: `skeleton.ts` (PageRank-ranked
symbols), `file-tree.ts` (framework-labelled), `deps.ts` |
| AC-M5-5 | `0c17be1` | BOM 5-9 + `generatePack` assembly:
`ast-chunker.ts` (chonkie + line-split fallback), `xrefs.ts`,
`findings.ts` (SARIF level enum + suppressions), `licenses.ts`,
`readme.ts` |
| AC-M5-6 | `5c118ac` | Parquet embeddings sidecar via DuckDB COPY+ZSTD
(S-M5-3 absent-when-empty) |
| AC-M5-7 | `d1aa08d` | `codehub code-pack` CLI + `pack_codebase` MCP
routes through `@opencodehub/pack` (engine=pack default; engine=repomix
opt-in deferred to M7) |
| AC-M5-8 | `1f51300` | Byte-identity determinism test suite + audit
script + `acceptance.sh` gate 16 |
| AC-M5-9 | `e043016` | `codehub-code-pack` skill +
`references/determinism-contract.md` + `opencodehub-guide` cross-link |
### M6 — Wave 1+2+3
| AC | Commit | What |
|---|---|---|
| AC-M6-1 | `9ee6a96` (pre) | `RepoNode` first-class in graph (9 attrs;
appended to NodeKind union to preserve graphHash) |
| AC-M6-2 | `26e507b` (pre) | Structured `AMBIGUOUS_REPO` with
`choices[]` + `total_matches` + `repo_uri` alias |
| AC-M6-3 (reframed) | `86e295b` (pre) | `group_cross_repo_links` MCP
tool + v2 docmeta cross-reference spec |
| AC-M6-4 | `f9fdde2` (pre) | `group_*` tools emit `repo_uri` additively
|
| AC-M6-5 | `4d8c5a9` | ADR 0012 (393 lines, mirrors 0011) +
AGENTS.md/CLAUDE.md cross-refs + worked AMBIGUOUS_REPO retry example +
synthetic 2-repo fixture for `codehub-contract-map` quickcheck |
## Spec drifts resolved inline
1. **chonkie package mismatch** — wave-1 wired `chonkie@^0.3.0`
(chonkie-inc-owned but undocumented). Canonical TS port is
`@chonkiejs/core@^0.0.9` per the chonkie-inc/chonkiejs README. Spec 005
amended in the swap commit.
2. **`IGraphStore.listNodes()` did not exist** — spec called for it;
implemented as a sub-AC on DuckStore + GraphDbStore. Cleaner long-term
API than scattering raw `store.query` SQL across `packages/pack/`.
3. **AGENTS.md `choices[]` already shipped** — reframed AC-M6-5 to add
cross-references to ADR 0012, RepoNode, `group_cross_repo_links` +
worked retry example.
4. **`classifyDependencies` cycle** — `pack` cannot import from `mcp`
(mcp consumes pack via `pack_codebase`). Lifted the pure helper into
`@opencodehub/analysis` as a 30-LOC prep commit.
## Roadmap status post-merge
```
M1 ✅ → M2 ✅ → (M3 ✅ ∥ M4 ✅) → (M5 ✅ ∥ M6 ✅) → M7
```
M7 (LadybugDB default + drop `sql` for `cypher`-only) is the only
remaining v1.0 milestone.
## Test plan
- [x] `pnpm install --frozen-lockfile` clean
- [x] `pnpm -r build` clean
- [x] `mise run check` exits 0 (lint + typecheck + test +
banned-strings)
- [x] 1950/1951 tests pass (1 pre-existing embedder skip)
- [x] `bash scripts/check-banned-strings.sh` PASS
- [x] `bash scripts/pack-determinism-audit.sh` runs (PASS or SKIP both
acceptable)
- [x] AGENTS.md ↔ CLAUDE.md AMBIGUOUS_REPO byte-identical
- [ ] `codehub code-pack <repo>` produces a 9-item BOM directory at
`<repo>/.codehub/packs/<packHash>/` (requires DuckStore on a real repo —
verify post-merge)
- [ ] Two consecutive `codehub code-pack` runs with same args produce
byte-identical output (E-M5-3)
- [ ] `pack_codebase` MCP tool `engine=pack` (default) route exercised
end-to-end via Claude Code
🤖 Generated with [Claude Code](https://claude.com/claude-code)
…dogfood) Lands the v1.0 finalization plan under .erpaval/specs/006-v1-finalize/: - spec.md: 25 ACs across 4 tracks (A=M7+IGraphStore hardening, B=detect-secrets 20th scanner, C=debt sweep, D=dogfood polish) - architecture-revised.md: layered redesign of Track A — IGraphStore (graph-only) split from ITemporalStore (DuckDB-only), 108 raw-SQL sites mapped to 15 typed finders, conformance test suite for community AGE/Memgraph/Neo4j/Neptune adapters - pr-split-analysis.md: generator-critic over S1/S2/S3 strategies; recommends S3 (track-split A->C->B->D) with full 108-SQL fold-in PR sequence: feat/v1-finalize-track-a (this branch) -> -track-c -> -track-b -> -track-d. Each lands as its own PR.
… A) (#71) ## Track A — M7 LadybugDB default + IGraphStore abstraction hardening Closes the architectural keystone of v1-finalize per `.erpaval/specs/006-v1-finalize/`. Spec: [spec.md](.erpaval/specs/006-v1-finalize/spec.md). Layer redesign: [architecture-revised.md](.erpaval/specs/006-v1-finalize/architecture-revised.md). PR-split critic: [pr-split-analysis.md](.erpaval/specs/006-v1-finalize/pr-split-analysis.md). ### What changes - **`IGraphStore` is graph-only; new `ITemporalStore` is tabular-only.** `openStore({path, backend}) → {graph, temporal, close, describe}` composes both. Cochanges + symbol summaries always live in DuckDB; the graph adapter (LadybugDB or any community fork) never implements them. - **13 typed finders + 2 specialized finders** on `IGraphStore`. Adapters internalize SQL/Cypher; consumers stay backend-agnostic. - **Zero raw SQL outside `packages/storage/`.** 108 sites migrated across analysis/, mcp/, pack/, wiki/, search/, cli/. - **Liskov-clean parity harness** at `@opencodehub/storage/test-utils` — `rebuildFromStore(graph)` uses only public methods. `assertGraphParity(fixture, {stores})` verifies byte-identity across N adapters. - **Conformance suite** at `assertIGraphStoreConformance(name, factory)` — community AGE/Memgraph/Neo4j/Neptune adapters import + run; pass = v1.0 graphHash byte-identity contract honored. - **Default `CODEHUB_STORE` flips to `lbug`** when `@ladybugdb/core` is importable, falls back to `duck` otherwise. Dual-artifact mtime detection. ADR 0013 documents the M7 architectural shift. - **`m7-parity-audit.sh`** — runs `codehub analyze` under both backends, asserts graphHash byte-identity. Wired into `scripts/acceptance.sh` gate 17. Skip-clean on dev boxes without lbug binding. ### AC summary (Track A — 13 of 13) | AC | What | |---|---| | A-1 | Split IGraphStore + new ITemporalStore + openStore factory | | A-2 | Hoist column encoders + sentinel coercions to `column-encode.ts` | | A-3 | Delete cochange/summary residue from GraphDbStore + new `temporal-parity.test.ts` | | A-4 | Move embeddings sidecar emission from storage/ to pack/ (`exportEmbeddingsParquet` made `@internal`) | | A-5 | Replace 41 `DuckDbStore` parameter type pins with `IGraphStore` / `Store` (folded into A-6c) | | A-6a | 13 typed finders on IGraphStore + both adapters | | A-6b | analysis/ migration (27 sites) + 2 specialized finders (`listNodesByEntryPoint`, `listNodesByName`) | | A-6c | mcp/ migration (46 sites + 41 type pins) + shared `mcp/test-utils.ts` | | A-6d | pack/, wiki/, search/ migration (~20 sites) + `WikiFakeStore` rewrite | | A-6e | cli/ migration + `Store` composition + dual-backend `doctor` probe | | A-7 | Public-interface parity harness (`rebuildFromStore` + `assertGraphParity`) | | A-8 | `describeArtifacts(backend)` helper unifies two-store filenames | | A-9 | Flip `CODEHUB_STORE` default to `lbug` + ADR 0013 | | A-10 | `m7-parity-audit.sh` + acceptance gate 17 + ADR 0013 empirical evidence | | A-11 | v1.0 community-adapter conformance suite | ### Validation - **1981 tests across 17 packages** — all green. - `pnpm -r exec tsc --noEmit` clean. - `mise run check` exits 0. - `bash scripts/check-banned-strings.sh` PASS. - `bash scripts/m7-parity-audit.sh` skip-clean on dev box (no lbug binding); CI/testbed runs full audit. - graphHash byte-identity invariant U1 holds per-commit across all 26 commits. - Pack determinism invariant U2 preserved on duck path; `determinism_class: degraded` stamped on lbug-only deployments without `@dsnp/parquetjs`. ### Compound lessons extracted 3 durable knowledge-track lessons written to `.erpaval/solutions/`: - `architecture-patterns/igraphstore-itemporalstore-segregation.md` - `architecture-patterns/typed-finders-replace-raw-sql-in-consumers.md` - `best-practices/parallel-act-subagents-with-shared-git-tree.md` ### Out of scope (queued for follow-on PRs) - Track B — constraint-10 (detect-secrets as 20th scanner) - Track C — debt sweep (parse-cache eviction, stringArrayField asymmetry, SageMaker rebuild-on-switch refusal, SCIP REFERENCES + TYPE_OF emission, 4 READMEs) - Track D — dogfood polish (semgrep.yml, osv.yml split, och-self-scan.yml, code-pack release asset, lefthook polish, mise och:self-* tasks) 🤖 Squashed via [bonk-ai](https://github.com/theagenticguy/ai-gateway/blob/main/scripts/bot-push.py). Co-authored-by: bonk-ai[bot] <269762587+bonk-ai[bot]@users.noreply.github.com>
## Track B — constraint-10 (detect-secrets as 20th scanner)
Closes the constraint-10 leg of v1-finalize per
`.erpaval/specs/006-v1-finalize/`.
Spec: [spec.md§Track B](.erpaval/specs/006-v1-finalize/spec.md).
PR-split:
[pr-split-analysis.md](.erpaval/specs/006-v1-finalize/pr-split-analysis.md)
— A → C → B → D ordering, this is leg 2 of 4.
### What changes
- **`DETECT_SECRETS_SPEC`** added to `packages/scanners/src/catalog.ts`
between BANDIT and BIOME. Polyglot P1, Apache-2.0, pinned at v1.5.0 with
a stale-since-2024 catalog comment. `ALL_SPECS.length` rises 19 → 20;
`P1_SPECS` rises 11 → 12.
- **`createDetectSecretsWrapper`**
(`packages/scanners/src/wrappers/detect-secrets.ts`) invokes
`detect-secrets scan . --all-files` and pipes stdout JSON through the
converter. Empty SARIF + `skipped` on missing binary; empty SARIF on
malformed stdout — `tool.driver.name` always preserved (E-B-2).
- **`detectSecretsJsonToSarif`**
(`packages/scanners/src/converters/detect-secrets-to-sarif.ts`) walks
the per-file `results` map, maps detect-secrets `type` → SARIF `ruleId`
via a 25-row table covering every v1.5.0 detector, with slug fallback
for future detectors. SHA-1 `hashed_secret` stamped on
`partialFingerprints.detect_secrets_sha1` — explicitly **not**
advertised as a cryptographic fingerprint per W-B-1. Overlapping
findings (KeywordDetector + AWSKeyDetector on the same line) pass
through without dedupe per W-B-2; OCH's downstream SARIF dedupe handles
merge. Every emitted log validated against `SarifLogSchema` before
return.
### AC summary (Track B — 2 of 2)
| AC | What |
|---|---|
| B-1 | `DETECT_SECRETS_SPEC` added to catalog (19→20); P1 stable-order
updated; cli `selectScanners` test extended for the new polyglot P1 |
| B-2 | wrapper + JSON→SARIF converter + 13 new tests (9 converter + 4
wrapper) |
### Validation
- **93 tests in `@opencodehub/scanners`** (was 80; +13 new), all green.
- `pnpm -r exec tsc --noEmit` clean.
- `bash scripts/check-banned-strings.sh` PASS.
- `mise run check` exits 0.
- SARIF emissions validated against `SarifLogSchema` at the conversion
boundary.
- W-B-1 honored: `partialFingerprints.detect_secrets_sha1` slot is
plugin-defined identifier per SARIF §3.27.18, not a crypto claim.
- W-B-2 honored: overlapping findings test asserts both pass through
with the same line number.
- E-B-2 honored: missing-binary path returns empty SARIF with
`tool.driver.name = "detect-secrets"` preserved.
### Compound lessons extracted
1 durable lesson written to `.erpaval/solutions/`:
- `best-practices/squash-merge-masks-pre-existing-debt.md` — first
action on a fresh branch from main (especially during a multi-PR
finalize like A → C → B → D) is `mise run check` BEFORE starting work;
per-commit U6 invariant inside a track-PR is not transitive across
squash boundaries when biome rule sets, transitive deps, or
cross-package test assertions drift between PRs.
### Opportunistic fixes (pre-existing main debt)
`mise run check` exited non-zero on a fresh cut from main (post Track A
squash) on 6 unrelated lint findings. Per the "fix problems you
encounter" tenet, swept inline:
- `packages/scip-ingest/src/derive.test.ts` — 4 `noNonNullAssertion` →
`assert.ok(edge)` + safe ref
- `packages/embedder/src/sagemaker-embedder.parity.test.ts` —
`noConsole` + suppress `noTemplateCurlyInString` on the deliberate
`${this.name}` fixture
- `packages/search/src/{bm25,hybrid}.test.ts` +
`packages/wiki/src/index.test.ts` — drop now-unused `biome-ignore
lint/correctness/useYield` suppressions on empty `async *` generators
- `packages/cli/src/commands/scan.test.ts` — `selectScanners` assertions
extended for the new polyglot P1 (cross-package coupling that
`scanners/catalog.test.ts` alone couldn't catch)
### Worktree cleanup
Pruned 14 orphan `.claude/worktrees/agent-*` worktrees from Track A's
parallel Act subagents — recurrence of
`worktree-isolation-pwd-pin-and-biome-exclusion`.
### Out of scope (still queued for follow-on PRs)
- Track C — debt sweep (parse-cache eviction, stringArrayField
asymmetry, SageMaker rebuild-on-switch refusal, SCIP REFERENCES +
TYPE_OF emission, 4 READMEs)
- Track D — dogfood polish (semgrep.yml, osv.yml split,
och-self-scan.yml, code-pack release asset, lefthook polish, mise
och:self-* tasks)
🤖 Squashed via
[bonk-ai](https://github.com/theagenticguy/ai-gateway/blob/main/scripts/bot-push.py).
Co-authored-by: bonk-ai[bot] <269762587+bonk-ai[bot]@users.noreply.github.com>
## Track C — debt sweep (7 ACs)
Closes the debt-sweep leg of v1-finalize per
`.erpaval/specs/006-v1-finalize/`.
Spec: [spec.md§Track C](.erpaval/specs/006-v1-finalize/spec.md).
ADR:
[0014-scip-references-and-embedder-fingerprint](docs/adr/0014-scip-references-and-embedder-fingerprint.md).
PR-split: A → C → B → D ordering — this is leg 3 of 4.
### What changes
- **AC-C-1 parse-cache LRU eviction** — `evictIfOverCap(cacheDir,
capBytes)` lists shards, sorts mtime-asc, deletes oldest until ≤0.9×cap.
Wired into `writeCacheEntry` post-write; gated on
`CODEHUB_PARSE_CACHE_MAX_BYTES` (default 1 GiB; 0 disables). Eviction
errors swallowed silently — cache failure is never fatal. JSDoc at
`content-cache.ts:133` updated to point at the new helper. +12 tests.
- **AC-C-2 stringArrayField round-trip symmetry** — `stringArrayOrNull`
writer + 3 readers (`duckdb-adapter.ts:setStringArrayField`,
`graphdb-adapter.ts:setStringArrayFieldGd`,
`analyze.ts:stringArrayField`) now preserve `[]` distinct from
`undefined`. The columns are already typed arrays (DuckDB `TEXT[]`,
GraphDb `STRING[]`); the fix removes the `length > 0` coalescing. New
`medium-with-empty-keywords` parity fixture + a difference assertion
that proves `graphHash({keywords: []}) ≠ graphHash({})`. DuckDB binder
needed an explicit `LIST(VARCHAR)` type-hint to bind empty arrays —
caught and fixed alongside.
- **AC-C-3 SageMaker rebuild-on-switch refusal** — `embedder_model_id
TEXT` column added to `store_meta` (DuckDb) + StoreMeta NODE TABLE
(GraphDb) via append-only DDL + `ALTER TABLE IF NOT EXISTS` migration.
`Store.{getMeta,setMeta}` round-trip the field.
`assertEmbedderCompatible` lives in
`@opencodehub/embedder/fingerprint.ts`; cli `runQuery` exits 2 with the
frozen remediation hint, MCP `runQuery` returns a new
`EMBEDDER_MISMATCH` envelope, both honor `--force-backend-mismatch` /
`force_backend_mismatch`. graphHash invariant unaffected (store_meta is
not part of the hash). +5 fingerprint tests.
- **AC-C-4 openDefaultEmbedder factory consolidation** — new
`packages/embedder/src/factory.ts` exports `openDefaultEmbedder({
allowOnnxFallback?: boolean })`. Replaces the duplicated 6-line block at
`packages/cli/src/commands/query.ts:122-127` and
`packages/mcp/src/tools/query.ts:453-458`. Ingestion's fuller variant
(offline flag + ONNX variant + pool + canary) intentionally diverges
with a one-line comment pointing at the factory. +4 tests covering
HTTP-priority + ONNX-fallback + EmbedderNotSetupError + ONNX-failure
branches.
- **AC-C-5 SCIP REFERENCES + TYPE_OF emission** — `TYPE_OF` appended at
position 25 of `RelationType` union, `RELATION_TYPES` array,
`ALL_RELATION_TYPES` (DuckDb), and `RELATION_KINDS` (GraphDb) per the
append-only rule. `deriveEdges` widens to emit `REFERENCES` for non-call
non-DEF non-IMPORT occurrences whose enclosing scope is function-like.
New `emitRelations` sibling in `scip-index.ts` consumes
`derived.relations` and writes IMPLEMENTS + TYPE_OF graph edges via the
same `symbolDef`-resolved caller→callee join shape (`+1` boundary
translation per `scip-0-indexed-vs-graph-1-indexed.md`). Existing
`incremental-determinism.test.ts` is self-consistent (asserts cross-run
hash stability, not against a frozen golden) so no fixture file regen is
needed; the first SCIP re-index after merge produces the documented
one-time content delta. Large parity fixture auto-extends from 24 → 25
edge kinds via `getAllRelationTypes()`.
- **AC-C-6 four READMEs** —
`packages/{cli,mcp,ingestion,scanners}/README.md` (62-80 lines each)
following the `packages/policy/README.md` template (Surface / table /
Design). Root README cross-links updated. scanners README cites the
20-scanner P1+P2 breakdown post-Track-B.
- **AC-C-7 .gitmodules debt closed as stale** — file was removed when
`packages/gym` moved to `opencodehub-testbed` (commit 378f79f).
`.erpaval/debt.md` updated to status `CLOSED-STALE`.
### AC summary (Track C — 7 of 7)
| AC | What |
|---|---|
| C-1 | parse-cache LRU eviction (env-gated, default 1 GiB) |
| C-2 | stringArrayField round-trip symmetry ([] vs absent) |
| C-3 | embedder fingerprint refusal + EMBEDDER_MISMATCH envelope |
| C-4 | openDefaultEmbedder factory consolidation |
| C-5 | SCIP REFERENCES + TYPE_OF (position 25, append-only);
emitRelations |
| C-6 | 4 package READMEs + root README cross-links |
| C-7 | .gitmodules debt closed as stale |
### Validation
- **`mise run check` exits 0.**
- `pnpm -r exec tsc --noEmit` clean.
- `bash scripts/check-banned-strings.sh` PASS.
- 244/244 storage tests + 1 skip (lbug binding absent on dev box).
- 80/80 embedder tests (was 71; +9 new).
- 607/607 ingestion tests (parse-cache eviction +12 new).
- 58/58 scip-ingest tests; 73/73 core-types; 235/235 cli.
- graphHash byte-identity holds: cross-adapter parity green for
`medium-with-empty-keywords` and the 25-edge-kind sweep on the DuckDb
leg; GraphDb leg skip-clean as expected without `@ladybugdb/core`
binding on dev box.
### graphHash content delta (one-time)
Per ADR 0014 + spec W-A-2: the first SCIP re-index after this PR merges
produces additional REFERENCES + IMPLEMENTS + TYPE_OF edges. Expected,
documented as a v1.0 minor bump (schema-shape preserved via append-only;
only content changes). Existing OCH stores need `codehub analyze
--force` to pick up the new edges.
### Compound lesson extracted
`.erpaval/solutions/best-practices/no-spec-coordinate-leakage-into-source.md`
— ERPAVal `AC-*` / `M-*` / `W-*` / `CL-*` prefixes belong in commits, PR
bodies, and ADR `## References` sections, NOT in JSDoc, inline comments,
CLI flag help, MCP tool descriptions, or test names. The leakage
compounds because LLM clients pick up the vocabulary and start citing it
back. Sweep `rg -n "AC-[A-Z]-[0-9]" packages/` before every PR-open.
Track A's already-merged `AC-A-*` leakage is flagged for a separate
cleanup PR (out of scope for this Track C diff to keep the review
focused).
### Out of scope (queued for follow-on PRs)
- Track D — dogfood polish (semgrep.yml, osv.yml split,
och-self-scan.yml, code-pack release asset, lefthook polish, mise
och:self-* tasks)
- chore(repo): scrub Track-A `AC-A-*` spec coordinates from production
source (mechanical sweep, separate session)
🤖 Squashed via
[bonk-ai](https://github.com/theagenticguy/ai-gateway/blob/main/scripts/bot-push.py).
Co-authored-by: bonk-ai[bot] <269762587+bonk-ai[bot]@users.noreply.github.com>
## Summary
Standalone scrub PR called for by the durable lesson at
`.erpaval/solutions/best-practices/no-spec-coordinate-leakage-into-source.md`.
ERPAVal session-local prefixes (`AC-*`, `S-*`, `W-*`, `E-*`, `T-*`,
`CL-*`,
`SUM-*`, `DOC-*`) plus references to `architecture-revised.md` and
`.erpaval/sessions/` / `.erpaval/specs/` paths leaked into production
source,
JSDoc, CLI flag help, MCP tool option descriptions, and test names. The
spec packets that name those coordinates are gitignored, so once the
packet graduates the source citations rot — and LLM clients pick the
leakage up and start citing it back.
This PR replaces every leaked coordinate with the underlying invariant
or
behavior the comment / test / JSDoc actually documents. **147 files**
covering every workspace package plus plugin SKILL.md files, the
determinism-contract reference doc, and shell-level acceptance scripts.
Two pairs of source/test runtime strings updated in lockstep:
- `generatePack` production-store error in `pack/src/index.ts` ↔
`pack/src/index.test.ts`.
- COBOL fixture author line in `hello.cbl` ↔ inline test fixture in
`cobol-regex.test.ts` (`T-M4-5` → `INGESTION-FIXTURE`, still valid
COBOL syntax).
ADR text and `docs/adr/*` files retain coordinates where they cite the
permanent decision rationale; \`P0[1-9]\` packet IDs stay since they're
documented in ADRs.
## Test plan
- [x] \`rg\` for ERPAVal coordinate patterns across \`packages/\`,
\`plugins/\`, \`scripts/\` — zero hits.
- [x] \`mise run lint\` (biome) — clean.
- [x] \`pnpm -r exec tsc --noEmit\` — clean.
- [x] \`pnpm -r test\` — all 1438 tests pass across every workspace
package.
- [x] \`bash scripts/check-banned-strings.sh\` — PASS.
Co-authored-by: bonk-ai[bot] <269762587+bonk-ai[bot]@users.noreply.github.com>
## Summary
Track D — leg 4/4 of v1.0 finalize. CI / lefthook / mise dogfood polish
per `.erpaval/specs/006-v1-finalize/spec.md§Track D`.
- **AC-D-1** `feat(ci): add standalone Semgrep workflow` (`9b36bf4`) —
`semgrep/semgrep` container, `p/auto + p/owasp-top-ten`, SARIF upload as
`category: semgrep`.
- **AC-D-2** `feat(ci): split OSV-Scanner into standalone workflow`
(`22253da`) — extract from embedded `ci.yml` job into `osv.yml`. Bumped
pin v2.3.5 → v2.3.8 (released 2026-05-08, fixes only).
- **AC-D-3** `feat(ci): add self-scan dogfood workflow` (`0e43d06`) —
`och-self-scan.yml` runs `codehub` on itself via `pnpm exec node
packages/cli/dist/index.js` (no `pnpm link --global` — removed in pnpm
11.x).
- **AC-D-4** `feat(ci): attach codehub code-pack as a release asset`
(`1ab82a6`) — **inline** in `release-please.yml` gated on
`steps.release.outputs.release_created`; a separate `release: published`
workflow would not fire under default `GITHUB_TOKEN` (research finding).
Latent same-bug in `sbom.yml` flagged for follow-on.
- **AC-D-5** `chore(repo): polish lefthook config to claude-sql parity`
(`4cf07a8`) — `min_version`, `assert_lefthook_installed`, `glob_matcher:
doublestar`, `output:` blocks, `templates: {pnpm}`, per-job
`fail_text`/`priority`/`skip`/`files:` diff-scoping. NEW pre-commit
`pnpm-lock-sync` job. NEW pre-push `verdict` job with graceful-degrade
guard for un-indexed checkouts.
- **AC-D-6** `chore(repo): add och:self-* dogfood mise tasks +
pack:determinism` (`3894ca9`) — `pack:determinism` wired into
`check:full` deps; 4 dogfood tasks (analyze/scan/verdict/pack).
- **fix(ci)** `drop --exit-code from codehub verdict invocations`
(`55dc684`) — pre-push hook on first run caught a CLI-spec mismatch;
verdict already exits with non-zero on `block` by default, no flag
needed.
- **fix(ci)** `make pre-push verdict hook degrade gracefully on
un-indexed dev boxes` (`044ef43`) — guard on presence of
`.codehub/graph.duckdb` or `graph.lbug`, mirroring
`pack-determinism-audit.sh` SKIP shape.
Spec coordinate sweep: zero `AC-*` / `M-*` / `W-*` / `CL-*` leakage in
source per
`.erpaval/solutions/best-practices/no-spec-coordinate-leakage-into-source.md`.
## Validation
- `mise run check` exit 0 (lint + typecheck + test 235/235 cli + 17
packages green + banned-strings).
- `mise run pack:determinism` SKIP-clean (no `.codehub/duck.db` on dev —
graceful, expected).
- `mise run check:full --dry-run` confirms `pack:determinism` wired into
the DAG.
- `bash scripts/check-banned-strings.sh` PASS — every commit gated by
lefthook pre-commit hook.
- All 6 YAML files parse via `yaml.safe_load`; `mise.toml` parses via
`tomli.load`.
- Per-commit lefthook gates fired green (banned-strings + commitlint +
on push: typecheck + test + verdict).
## API freshness — research-grounded 2026-05-09
`./.erpaval/sessions/session-85faf1/research-track-d.md` cites every API
decision against the upstream source: codeql-action@v4, checkout@v6,
upload-artifact@v7, mise-action@v4, release-please-action@v5,
semgrep/semgrep, osv-scanner v2.3.8, lefthook v2.1.6 schema, mise.toml
task syntax, pnpm 11.x removal of `pnpm link --global`.
## Test plan
- [ ] Confirm CI passes on the PR (lint + typecheck + test on Node 22 +
24, sarif-validate, banned-strings, licenses, osv).
- [ ] Verify the new `semgrep.yml` runs (dispatch on push to PR) and
uploads SARIF to Code Scanning under `category: semgrep`.
- [ ] Verify the new `osv.yml` runs and uploads SARIF under `category:
osv-scanner`; embedded `ci.yml` `osv:` job is gone.
- [ ] Verify `och-self-scan.yml` workflow_dispatches successfully on
this branch (manual trigger from Actions tab).
- [ ] Smoke `mise run pack:determinism` after running `codehub analyze`
on a clean checkout to confirm byte-identity.
- [ ] (Future PR) Migrate `sbom.yml` from `release: [published]` →
inline in `release-please.yml` per the same finding that drove AC-D-4.
## Adjacent debt flagged for follow-on PRs
- `sbom.yml` has the same `release: [published]` + default
`GITHUB_TOKEN` latent bug as the prior AC-D-4 design. One-line workflow
change to inline; out of scope here.
- `lefthook.yml` `core.hooksPath` hint surfaces every commit on this dev
box; cosmetic — local clone has `.git/hooks` set explicitly.
## Rollback
Each AC commit touches disjoint files (different `.yml` workflows /
`lefthook.yml` / `mise.toml`). Any AC can be reverted independently with
`git revert <sha>` without disturbing the others.
## Summary V1-launch readiness sweep: cherry-picks three known-good upstream bug fixes from the post-filter testbed, closes two residual smoke gaps, and deeply refreshes the v1 docs against current reality. ### Bug fixes (5 of 7 from UPSTREAM_BUGS.md) | Severity | Bug | Fix | |---|---|---| | HIGH (data corruption) | #2 — `codehub scan <path>` ingested SARIF into operator's CWD instead of the scanned repo | `c43c5aa fix(cli): scan ingests SARIF into the scanned repo, not CWD` | | HIGH (CI gate) | #3 — `scripts/smoke-mcp.sh` asserted EXPECTED_TOOLS=19; server registers 29 | `433f684 fix(repo): smoke-mcp asserts 29 tools, matching the v1.0 server` | | HIGH (CI dashboard) | #4 — `codehub bench` surfaced 9 of 17 acceptance gates (some titles also stale) | `c5f9047 fix(cli): bench dashboard surfaces all 17 acceptance gates` | | MEDIUM | #1 + #6 — `codehub doctor` false-WARN on tree-sitter / @duckdb / @LadybugDB under pnpm strict isolation; `duckdb close()` undefined on `@duckdb/node-api@1.x` | `c218c31 fix(cli): doctor resolves native bindings from owner workspaces` | | LOW (test hygiene) | #7 — `http-embedder.test.ts` cases failed when `CODEHUB_EMBEDDING_*` env was set in operator's shell | `317bdf1 fix(embedder): isolate http-embedder tests from operator env` | Bug #5 (testbed-only pytest-timeout) does not apply upstream. Bug fixes #1+#6, #2, #3 are direct cherry-picks of `def988b`, `6924b1b`, `ec66d4a` from the post-filter sibling — every changed file:line coordinate verified to match upstream HEAD before pick. ### Spec-coordinate hygiene - `fad766f` — scrub `AC-A-7` / `AC-A-10` from `scripts/m7-parity-audit.sh` header (per the durable lesson; scripts are not ADRs). - `e186aea` — restore ADR-permanent spec coordinates in `docs/adr/0013-m7-default-flip-and-abstraction.md` and `docs/adr/0014-scip-references-and-embedder-fingerprint.md` after an earlier docs-sweep commit over-scrubbed them. Per PR #74's carve-out, ADR text is the explicit place where coordinates ARE allowed. Final sweep: `rg -n 'AC-[A-Z]-[0-9]' packages/ scripts/` returns zero hits. ### Docs refresh - `898192e` — README: status flipped from "v0.1.0 initial public release" to "v1 — feature-complete on M1–M7" (the prerelease caveat stays since `package.json` is still `0.1.x`); 28 → 29 MCP tools across the mermaid diagram, table heading, and mcp-package row; new "Parse runtime — WASM default" section cross-linking ADR `0013-parse-runtime-wasm-default.md`; Repository Layout regenerated against `ls packages/` (now 17 packages — adds `cobol-proleap`, `frameworks`, `pack`, `policy`, `wiki`; drops `eval` and `gym` with a sibling-testbed note); 14 → 15 GA languages (COBOL via regex provider); requirements bumped to Node 22-or-24; tool table expanded to enumerate the cross-repo federation tools and `pack_codebase`. - `69eac8f` — ADR 0011 `Proposed → Accepted`; ADR 0013-m7 `Proposed → Accepted`; sibling-ADR cross-link banner on the duplicate-0013 collision (`0013-parse-runtime-wasm-default.md` and `0013-m7-default-flip-and-abstraction.md` both landed concurrently); ADR 0014 References block swapped from `.erpaval/specs/...` (gitignored, will rot once packet graduates) to durable code-path citations. - `edb362e` — CHANGELOG `[Unreleased]` entry summarizing this PR; AGENTS.md 28 → 29 tools and a divergence banner where it intentionally drops session-local coordinates that CLAUDE.md still carries; OBJECTIVES.md tool count + language count + sibling-testbed note. ## Validation - `pnpm install --frozen-lockfile` ✅ - `mise run check` (lint + typecheck + test + banned-strings + verdict) ✅ - `pnpm -F @opencodehub/cli test` — **236/236** pass (was 235; +1 from the new `[SKIP]` parsing case in `bench.test.ts`) - `pnpm -F @opencodehub/embedder test` — 79 pass / 0 fail / 1 skipped - `bash scripts/smoke-mcp.sh` — **PASS (29 tools listed)** - `node packages/cli/dist/index.js doctor` — `tree-sitter native binding: OK`, `duckdb native binding: OK`, `graph-db native binding: FAIL` (real opt-in build status — the `@ladybugdb/core` binding is not installed on this dev box, which is what `doctor` is supposed to surface; the false-WARN this PR fixes is gone) - `rg -n 'AC-[A-Z]-[0-9]' packages/ scripts/` — zero hits ## Test plan - [ ] CI green on `chore/v1-upstream-bug-sweep` - [ ] `codehub doctor` reports OK on tree-sitter + duckdb in CI matrix (Node 22 + Node 24) - [ ] `codehub scan /tmp/<fixture>` ingests into `<fixture>` not CWD (manual verification on a downstream repo) - [ ] `codehub bench` table now renders all 17 rows, none stuck on "skipped — script crashed" - [ ] License audit / banned-strings / commitlint stay green ## Out of scope - Bug #5 (testbed-only pytest-timeout). Listed for reference in UPSTREAM_BUGS.md; does not affect upstream.
## Summary Compound phase from session-6c091d (PR #76). Four new durable lessons extracted from the v1 upstream bug sweep, plus a clarification of the existing leakage lesson's sweep scope. ### New lessons | File | Category | Surfaced by | |---|---|---| | `cherry-pick-from-sibling-testbed.md` | best-practices | Whole campaign — fetched the post-filter sibling, picked 3 fix commits directly | | `bench-dashboard-acceptance-script-parity.md` | architecture-patterns | Bug #4 — dashboard parsed banners by exact-string match; 9-of-17 gates rendered | | `test-env-hermeticity-for-backend-precedence.md` | conventions | Bug #7 — `CODEHUB_EMBEDDING_*` precedence chain leaked from operator's shell | | `parallel-docs-subagent-overscrubs-adrs.md` | best-practices | The docs subagent stripped AC-* from `docs/adr/0013-m7` and `0014` despite PR #74's ADR carve-out — required a follow-up restore commit | ### Updated - `no-spec-coordinate-leakage-into-source.md` — added a "Sweep scope is `packages/` and `scripts/`, NOT `docs/adr/*`" rule that names PR #74's carve-out, so future subagents reading the lesson see the constraint without PR archaeology. - `INDEX.md` — pointers for the four new lessons. ## Test plan - [ ] CI green on `chore/v1-compound-lessons` - [ ] No spec-coordinate leakage in source: `rg -n 'AC-[A-Z]-[0-9]' packages/ scripts/` returns zero hits. - [ ] Future ERPAVal sessions that load `INDEX.md` at session start surface these four lessons.
## Summary Three deep specialists ran in parallel to: (1) close every CodeQL HIGH alert plus low-hanging mediums, (2) resolve every Scorecard HIGH `Token-Permissions` and MEDIUM `Pinned-Dependencies` alert, and (3) build a production-grade release pipeline with SLSA L3 provenance, cosign keyless signing, gated pre-release scans, and an operator runbook. ## Code-scanning alerts resolved ### CodeQL HIGH (15) — `packages/` | Class | Count | Pattern | |---|---|---| | `js/polynomial-redos` | 6 | regex tightened or replaced with deterministic `startsWith` / `charCodeAt` scans; ReDoS-prone alternations bounded | | `js/incomplete-sanitization` | 4 | escape `\\` BEFORE adding new backslashes from quote/pipe/SQL-LIKE escapes | | `js/file-system-race` | 3 | TOCTOU closed by collapsing `stat`+`read` into a single fd handle | | `js/redos` (exponential) | 1 | tightened SCIP descriptor regex char class | | `js/incomplete-url-substring-sanitization` | 1 | `new URL().hostname` in test fixture | ### CodeQL MEDIUM (low-hanging, 6) — `packages/scip-ingest/src/runners/index.ts` + `property-access.ts` - 3× `js/shell-command-*` — explicit `shell: false` in spawn calls; absolute-path resolution before exec - 1× `js/indirect-command-line-injection`, 1× `js/shell-command-injection-from-environment` — same fix - 2× `js/overly-large-range` — drop redundant `A-Z` from `[A-Za-z\\w]` ### Scorecard HIGH — Token-Permissions (4) - `codeql.yml`, `semgrep.yml`, `release-please.yml`, `sbom.yml` (sbom.yml has been retired; SBOM now lives in `release.yml` with proper job-scoped permissions). Top-level hoisted to `contents: read`; write scopes granted only on the job that needs them. ### Scorecard MEDIUM — Pinned-Dependencies (39) Every `uses:` across all 9 workflows pinned to a 40-char SHA with a trailing `# vX.Y.Z` comment. Dependabot updated to group all `github-actions` SHA bumps into a single weekly PR. `npm i -g node-gyp` pinned to `node-gyp@12.3.0`. Single documented exception: `slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0` is intentionally tag-pinned per the SLSA project's trust model (the trusted-builder protocol verifies the tag boundary; SHA-pinning short-circuits SLSA's provenance chain). Documented inline + in `RELEASE.md`. ## Release pipeline (new) ### `.github/workflows/release.yml` (new, 351 lines) Triggered by `release: [published]` and via `workflow_call` from `release-please.yml`. Job graph: 1. **`build`** — pnpm install + `pnpm -r build` + CycloneDX SBOM 1.5 + OCH analyze + OCH code-pack on the released SHA 2. **`scan`** — OCH self-scan + SARIF upload to code-scanning under category `release` 3. **`sign`** — cosign keyless (Sigstore OIDC) signs every artifact (SBOM, code-pack, attestations) and emits `.sig.bundle` files 4. **`provenance`** — SLSA L3 generator-generic-slsa3 reusable workflow emits `slsa.intoto.jsonl` 5. **`upload`** — attaches everything to the GitHub release in lockstep 6. **`publish`** (gated, off by default) — `vars.OCH_NPM_PUBLISH_ENABLED == 'true'` operator switch for future npm publish of `@opencodehub/cli` and `@opencodehub/mcp` ### `.github/workflows/pre-release-gate.yml` (new) Triggers on the release-please PR (`head_ref: ^release-please--`). Adds release-time scans not in the regular CI (npm-audit at high+, lockfile integrity, detect-secrets full sweep, license re-assert) plus an `if: always()` aggregator suitable as a required status check before the release PR can merge. ### `.github/workflows/release-please.yml` (refactor) Reduced to: run `release-please-action` → on `release_created`, hand off via `workflow_call` to `release.yml`. Sidesteps the durable-lesson finding that default `GITHUB_TOKEN` does not fire downstream `release: [published]` events. `release.yml` also listens on `release: published` so PAT-driven and manual `gh release create` flows still trigger the same pipeline. ### `.github/workflows/sbom.yml` (deleted) Consolidated into `release.yml`'s `build` job — SBOM, code-pack, and SARIF now share one anchored SHA. ### `docs/RELEASE.md` (new, 271 lines) Operator runbook: trigger model · asset inventory · cosign + slsa-verifier verification commands · manual hotfix path · environment configuration (cosign keyless requires only OIDC — no secrets to provision). ## Validation - `mise run check` exit 0 (lint + typecheck + 1,339 tests across 8 packages + banned-strings + verdict) - `bash scripts/smoke-mcp.sh` → PASS (29 tools) - `actionlint .github/workflows/*.yml` clean - All 11 YAML files (`workflows/` + `dependabot.yml`) parse via PyYAML - `rg 'AC-[A-Z]-[0-9]' packages/ scripts/` empty (zero spec-coordinate leakage) - Per-package test counts: analysis 127, cli 236, embedder 79+1skip, frameworks 86, ingestion 607, mcp 167, scip-ingest 58, wiki 15 ## Test plan - [ ] CI green on `chore/security-and-release-hardening` - [ ] CodeQL re-scan on PR shows 15 HIGH alerts fixed (CodeQL re-runs automatically; existing alerts auto-close on the next push to main) - [ ] Scorecard re-scan shows TokenPermissions HIGH alerts cleared (next weekly cron) - [ ] After merge, the next `release-please-action` PR exercises the new `pre-release-gate.yml` - [ ] After the next tag, manually verify cosign + slsa-verifier per `docs/RELEASE.md` instructions ## Out of scope - Scorecard `BinaryArtifactsID` (3) — vendored Tree-sitter `.wasm` blobs are intentional and reproducibly built (`scripts/build-vendor-wasms.sh`); no fix. - Scorecard `MaintainedID` / `CodeReviewID` / `VulnerabilitiesID` / `CIIBestPracticesID` / `FuzzingID` / `SASTID` — repo-meta signals, not code fixes; release-grade workflow + Scorecard re-run will improve these naturally. - CodeQL `note` severity (2 alerts) — out of scope per request.
dependabot
Bot
added
dependencies
…section (#87) ## Summary The OpenCodeHub Starlight docs site was deleted in PR #53 (May 4, commit `4431b53`) under T-M2-3 with the explicit promise to spin it up as `theagenticguy/opencodehub-docs`. That separate repo was never created. The site at https://theagenticguy.github.io/opencodehub/ has been serving the May 1 snapshot ever since — 28-tool / DuckDB-default / Node 20 / 14-language prose, missing every milestone since (M3-M7, Track A-D, parse-runtime flip, 20-scanner inventory, supply-chain hardening). This PR restores `packages/docs/` + `.github/workflows/pages.yml` from `4431b53^`, refreshes every page against v1 reality, adds a deep agent-friendly `agents/` section, ships a machine-readable tool catalog, hardens the workflow, and lifts `LadybugDB` out of the banned-strings policy now that it's a first-class product name. Three deep specialists ran in parallel after the bulk-restore, with one polish pass at the end. ## What's in here ### Restoration (`f801f1a`) 56 files restored from history. Build clean out of the box: 47 pages, links valid, Pagefind index, llm-nav banners. ### Content refresh (8 commits, `00a0fce` → `c0376d8`) - **Start here** — install (Node 22 or 24, mise, `codehub init`), quick-start (first MCP call), what-is-opencodehub, codehub-init, first-query — all v1. - **MCP** — `mcp/overview.md` reframes 29 tools across five families (exploration, group/federation, scan/findings/verdict, HTTP/routing, meta). `mcp/tools.md` rewritten as full per-tool catalog with when-to-use / when-not-to-use / signature / example. `mcp/resources.md` + `mcp/prompts.md` updated. - **Reference** — `cli.md` verified against `packages/cli/src/index.ts` shape; `configuration.md` env-var inventory + `AMBIGUOUS_REPO` envelope + `EMBEDDER_MISMATCH` from ADR 0014; `languages.md` 15-language table; `error-codes.md` current set. - **Architecture** — overview, monorepo-map (17 packages, dropped eval/gym, added cobol-proleap/frameworks/pack/policy/wiki), embeddings (3-backend precedence), parsing-and-resolution (WASM-default + native opt-in), determinism (graphHash invariant), scanners-and-sarif (20-scanner inventory), scip-reconciliation, supply-chain, adrs (0001-0014 index). - **New architecture pages** — `storage-backend.md` (LadybugDB + DuckDB segregation, IGraphStore/ITemporalStore, community-adapter escape hatch); `cross-repo-federation.md` (repo-as-typed-node, AMBIGUOUS_REPO, group_* tools); `lessons.md` (pointer to `.erpaval/solutions/`). - **New guides** — `migrating-from-duckdb.md` (three migration paths). - **Index hero** — splash with three CTAs (Install / Use / Develop) using Starlight `<Card>` / `<CardGrid>` — no marketing tiles. - **Sidebar IA** — Start here · Agents · MCP · Reference · Guides · Architecture · Skills · Contributing. - **astro.config llms-txt** — `description` + `details` rewritten with current 29-tool / 15-language / LadybugDB-default reality (per the durable lesson `llms-txt-as-ground-truth.md`). ### Tool catalog as data (`b112b67`) `packages/docs/public/tool-catalog.json` — machine-readable canonical catalog of all 29 tools. Schema: `{ tools: [{ name, family, description, when_to_use, when_not_to_use, signature_sketch, example }] }`. Agents can `fetch('https://theagenticguy.github.io/opencodehub/tool-catalog.json')`. ### Agents section (4 commits, `4e55203` → `3547b74`) A new `packages/docs/src/content/docs/agents/` section, 14 pages, dedicated to AI-coding-agent discovery + usage: - `agents/index.md` — section landing with 90-second setup + 5-editor card grid. - `agents/why-mcp.md` — what an agent can't see without the graph; three failure modes; four MCP tool families. - `agents/install.md` — generic install for any MCP-speaking agent: prereqs, `mise run cli:link`, `codehub init` (writes `.mcp.json` + plugin link), `codehub analyze`, `codehub doctor`, per-editor handoff. - `agents/editors/claude-code.md` — deepest editor page: `.mcp.json` shape, 5 slash commands, `code-analyst` subagent, all 11 skills tabled, `hooks.json`. - `agents/editors/cursor.md` — `.cursor/mcp.json` (project + global), absolute-path fallback, verification. - `agents/editors/codex.md` — `~/.codex/config.toml` + CLI helper, stdio-only caveat. - `agents/editors/windsurf.md` — `~/.codeium/windsurf/mcp_config.json`, restart caveat. - `agents/editors/opencode.md` — `opencode.json` with the differing key shape (`mcp` vs `mcpServers`, `command: [...]`, `environment` vs `env`). - `agents/tool-decision-matrix.md` — 21-row single-repo intent → tool table with anti-pattern column, plus 5-row group-mode table and a "When to chain" section. - `agents/idiomatic-prompts.md` — 5 paste-ready prompts (rename audit / auth-flow surfacing / HTTP contract reconstruction / findings-vs-baseline / onboarding) with target editor + expected tool calls + expected output. - `agents/discovery-and-resources.md` — site URL, `/llms.txt`, `/llms-full.txt`, `/llms-small.txt`, `/tool-catalog.json`, `AGENTS.md`, `CLAUDE.md`, registries. - `agents/registries.md` — Official MCP Registry (`server.json` shape), Smithery (`smithery.yaml` shape), Glama, awesome-mcp-servers, aggregator directories. - `agents/llms-txt-cheatsheet.md` — picking guidance for the three core bundles + custom sets. ### Banned-strings policy (`d8dddb2`) Removed `ladybug` and `kuzu` from `BANNED_LITERALS` in `scripts/check-banned-strings.sh`. LadybugDB is the default graph backend (M7) and a first-class product name in docs. The original ban dated from when the project was still deciding which graph engine to vendor; that decision shipped. `kuzu` is retained as historical lineage in cross-link prose ("the open-source successor to the pre-1.0 Kuzu codebase") which already lives in ADR 0011. ### Pages workflow hardening (`c54231d`) - `actions/checkout@v6` → `@de0fac2e...` (v6.0.2) - `jdx/mise-action@v4` → `@c37c9329...` (v2.4.4) - `actions/upload-pages-artifact@v5` → `@fc324d35...` - `actions/deploy-pages@v5` → `@cd2ce8fc...` Top-level `permissions: contents: read`; write scopes (`pages: write` + `id-token: write`) granted only on the `deploy` job. Resolves the same Token-Permissions HIGH pattern fixed in PR #78 for the other 4 workflows. ### LadybugDB polish (`3c7166b`) 38 prose substitutions across 13 files: replace awkward "the graph-database backend" workarounds with plain "LadybugDB" now that the literal is allowed. `@ladybugdb/core` (npm package) and `graph.lbug` (file extension) preserved. ## Validation - `mise run check` exit 0 — 1,339 tests across 8 packages (lint + typecheck + test + banned-strings + verdict) - `pnpm -F @opencodehub/docs build` — **64 pages built, all internal links valid**, Pagefind index ok, llm-nav banners patch all 63 .md files - `actionlint .github/workflows/*.yml` — clean - `bash scripts/check-banned-strings.sh` — PASS - `rg 'AC-[A-Z]-[0-9]|T-M[0-9]+-[0-9]+|W-[A-Z]-[0-9]+|S-[A-Z]-[0-9]+|E-[A-Z]-[0-9]+|CL-[A-Z]+|architecture-revised\.md' packages/docs/src/` — zero hits - Marketing-words sweep (`effortless`, `leverage`, `synergy`, `world-class`, `blazing-fast`, `cutting-edge`) — zero hits in docs prose ## Test plan - [ ] CI green on `docs/site-restore-v1` - [ ] After merge, the Pages workflow at `.github/workflows/pages.yml` triggers on first push to `main` (paths-filter on `packages/docs/**`) - [ ] Deployed site at https://theagenticguy.github.io/opencodehub/ replaces the May 1 snapshot - [ ] Manual verification: visit /agents/, /mcp/tools/, /tool-catalog.json - [ ] Manual verification: `/llms.txt`, `/llms-full.txt`, `/llms-small.txt` all resolve and contain "29 tools" / "LadybugDB" / "WASM" facts ## Out of scope - Submission to `skills.sh`, the official MCP Registry, Smithery, awesome-mcp-servers — research file at `.erpaval/sessions/session-05809d/research-skills-sh.md` and `.erpaval/sessions/session-05809d/research-agent-docs.md` capture the exact shape; PR-able as separate follow-ups. - Importing `.erpaval/solutions/**.md` as a Starlight content collection — investigated, deemed not worth shipping (lessons audience is the agent at edit-time, not docs readers; some lesson titles include literals the docs build's other guardrails reject). The `architecture/lessons.md` stub points readers at the directory.
Bumps [@commitlint/cli](https://github.com/conventional-changelog/commitlint/tree/HEAD/@commitlint/cli) from 20.5.3 to 21.0.0. - [Release notes](https://github.com/conventional-changelog/commitlint/releases) - [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/cli/CHANGELOG.md) - [Commits](https://github.com/conventional-changelog/commitlint/commits/v21.0.0/@commitlint/cli) --- updated-dependencies: - dependency-name: "@commitlint/cli" dependency-version: 21.0.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/commitlint/cli-21.0.0
branch
from
907c45d to
fa567d7
Compare
5 tasks
Owner
|
Closing — branch was rooted in pre-rewrite history (stale blobs). Re-applied as part of #91. |
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
theagenticguy
added a commit
that referenced
this pull request
May 11, 2026
## Summary Re-applies the bumps from the 8 dependabot branches that were rooted in pre-rewrite history (and would otherwise carry stale blobs forward). Closes #79, #80, #81, #82, #83, #84, #85, #86. ### npm deps - `@aws-sdk/client-bedrock-runtime` 3.1043.0 → 3.1045.0 (was #82) - `@aws-sdk/client-sagemaker-runtime` 3.1043.0 → 3.1045.0 (was #86) - `@commitlint/cli` 20.5.3 → 21.0.0 (was #84) - `@commitlint/config-conventional` 20.5.3 → 21.0.0 (was #83) - `onnxruntime-node` 1.25.1 → 1.26.0 (was #85) - `write-file-atomic` 7.0.1 → 8.0.0 (was #81) - typescript-tooling group: `@biomejs/biome` 2.4.13 → 2.5.0, `@types/node` 25.6.0 → 25.7.0 (was #80) ### GitHub Actions - github-actions group, 3 updates (was #79) ## Test plan - [x] `pnpm install` clean (no peer-dep regressions beyond what main already had) - [x] `pnpm -r build` — all 18 packages build - [x] `pnpm run typecheck` — clean - [x] `pnpm run test` — 2019 pass, 0 fail across 18 packages - [x] No `pnpm.onlyBuiltDependencies` rewrite (verified by diff)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps @commitlint/cli from 20.5.3 to 21.0.0.
Release notes
Sourced from @commitlint/cli's releases.
Changelog
Sourced from @commitlint/cli's changelog.
Commits
f081a8ev21.0.040d7e36feat!: show input from a new line (#4727)44c3174chore: update dependency yargs to v18 #4432 (#4686)ac01464chore: replace dependencies with Node 22 built-ins (#4681)ac2b3f4chore!: minimum node version v22 (#4679)