feat(compliance): add foundation docs and CLAUDE.md#98
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (9)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Adds repository foundation documentation and AI-agent instruction files for compliance tracking, ADRs, and known vulnerability baseline management.
Changes:
- Adds Claude, Gemini, and agent catalog instruction files.
- Adds Claude Code permissions configuration.
- Adds known-vulnerability baseline and ADR documentation for Scorecard publishing behavior.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
.claude/CLAUDE.md |
Adds Claude Code repository instructions, model selection, RAD guidance, and cross-references. |
.claude/settings.json |
Adds Claude Code allow/deny permission settings. |
AGENTS.md |
Adds specialized agent catalog and model assignment table. |
GEMINI.md |
Adds Gemini CLI repository context and writing guidance. |
docs/known-vulnerabilities.md |
Adds empty known-vulnerability tracking baseline. |
docs/architecture/adr-000-index.md |
Adds ADR index. |
docs/architecture/adr-001-scorecard-publish-results.md |
Documents Scorecard publish_results decision rationale. |
Comments suppressed due to low confidence (3)
.claude/CLAUDE.md:30
- This RAD cross-reference points to
docs/response-aware-development.md, but that file is not present in the repository. Agents following this instruction will hit a broken link unless the referenced document is added or the link is corrected to an existing RAD document.
See: [docs/response-aware-development.md](https://github.com/ByronWilliamsCPA/.github/blob/main/docs/response-aware-development.md)
docs/architecture/adr-001-scorecard-publish-results.md:21
- The accepted decision describes adding a direct
self-scorecardjob withpublish_results: true, but the current.github/workflows/scorecard.ymlstill delegates topython-scorecard.ymland has no direct publishing job. An ADR should record the implemented decision or this PR should include the workflow change it documents.
Add a direct, non-reusable `self-scorecard` job to `scorecard.yml` in this repo
that uses `publish_results: true`. This job runs the scorecard action directly
docs/architecture/adr-001-scorecard-publish-results.md:29
- This consequence is not true in the current repository: the existing
.github/workflows/scorecard.ymlcalls the reusable workflow, whose scorecard step hard-codespublish_results: false, so the.githubrepo is not publishing results via a direct job.
- The `.github` repo itself publishes results via the direct job.
| - Reusable GitHub Actions workflows (`.github/workflows/python-*.yml`) | ||
| - Org-level profile (`profile/README.md`) | ||
|
|
||
| There is no Python package, no test suite, and no build system in this repo. |
| ## Repository Context | ||
|
|
||
| This repo contains GitHub org-level community health files and reusable GitHub Actions | ||
| workflows. There is no Python package or test suite. |
| When a reusable workflow calls `ossf/scorecard-action`, the OIDC token `repository` | ||
| claim resolves to the calling repo (e.g., `ByronWilliamsCPA/some-python-project`), | ||
| which is correct. However, Scorecard's API lookup uses this claim to attribute results. | ||
| When the reusable workflow itself is tested in the `.github` repo via `self-test.yml`, | ||
| the OIDC token resolves to `ByronWilliamsCPA/.github`, which does match the repo we | ||
| want to score. The constraint is `publish_results: true` in the reusable workflow would | ||
| expose results for every calling repo under a single API entry. | ||
|
|
||
| ## Decision | ||
|
|
||
| Keep `publish_results: false` in `python-scorecard.yml` (the reusable workflow). | ||
| Add a direct, non-reusable `self-scorecard` job to `scorecard.yml` in this repo | ||
| that uses `publish_results: true`. This job runs the scorecard action directly | ||
| (not via the reusable), so the OIDC token `repository` claim correctly resolves to | ||
| `ByronWilliamsCPA/.github`. | ||
|
|
||
| ## Consequences | ||
|
|
||
| - Downstream repos using `python-scorecard.yml` do not publish results (by design; | ||
| they opt in by adding their own scorecard workflow). |
| Gemini CLI tool names differ from Claude Code. See tool mapping in: | ||
| `~/.claude/skills/brainstorming/references/` for equivalents. |
PR Review3 Critical, 8 Important, 3 Suggested findings. Full report in conversation; summary below. Critical (must fix before merge)
Important (should fix)
SonarQube: 0 issues (all changed files excluded by 🤖 Generated with Claude Code |
- Create .claude/CLAUDE.md with model selection, RAD cross-ref, writing rules (CLAUDE-001..006) - Create .claude/settings.json with allow/deny permission blocks (CLAUDE-002) - Create AGENTS.md with agent catalog and model assignment table (CLAUDE-003) - Create GEMINI.md with repo context and tool mapping stub (CLAUDE-004) - Create docs/known-vulnerabilities.md with empty baseline (FOUND-007) - Create docs/architecture/ with ADR index and ADR-001 for scorecard decision (FOUND-008) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… files Add negation entries for CLAUDE.md and settings.json so future .claude/ additions do not require git add -f. Ephemeral session state remains ignored. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…approach Three fixes from code quality review: - ADR-001 Context: OIDC claim resolves to callee (.github), not caller; match the authoritative comment in python-scorecard.yml - ADR-001 Status: change Accepted to Proposed since the direct self-scorecard job is deferred to Task 5 (OSSF PR) - .gitignore: replace broad .claude/ exclusion with specific transient subdirs (.claude/cache/, .claude/session/, .claude/conversations/); git cannot unignore files inside an excluded directory via negation patterns - CLAUDE.md: add no-em-dash hook reference to Writing Rules section Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… ADR accuracy - settings.json: replace Bash(gh:*) blanket grant with scoped gh subcommands and expand deny list to block secret management, org ops, and destructive repo mutations; fixes security finding from PR #98 review - .gitignore: add .claude/memories, logs, todos, worktrees, scheduled_tasks.lock to narrow transient exclusions; .claude/CLAUDE.md and settings.json remain tracked - CHANGELOG.md: add missing [Unreleased] ### Added entries for CLAUDE.md, settings.json, AGENTS.md, GEMINI.md, known-vulnerabilities.md, and ADR docs - GEMINI.md: replace dead ~/.claude/skills/brainstorming/references/ path with inline guidance; the referenced directory does not exist - .claude/CLAUDE.md: replace 404 RAD link with reference to global CLAUDE.md - docs/architecture/adr-000-index.md: fix status (Accepted -> Proposed), align table columns so pipes are consistent across header, separator, and data rows; update title to match ADR-001 heading - docs/architecture/adr-001-scorecard-publish-results.md: fix title capitalisation, change present tense to future tense in Consequences for deferred self-scorecard job Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
williaby
force-pushed
the
claude/compliance-foundation-docs-1
branch
from
aaf3c3c to
3606ca2
Compare
/pr-fix SummaryAll findings from the /pr-review have been resolved. Branch was rebased onto main (1 commit ahead: fix(compliance): quick-wins remediation pass #97) before fixes were applied. Fixes AppliedCritical
Important
Suggested
Commits Added
All changes passed pre-commit (trailing-whitespace, end-of-file-fixer, detect-private-key, TruffleHog). |
|
CLAUDE.md and GEMINI.md previously stated 'no test suite' in the Repository Purpose / Repository Context sections. The repo does have a Bats test suite under tests/ (covered by .github/workflows/shell-tests.yml), so the statement was misleading agents about validation steps. Narrows the statement to 'no Python package' and points to the Bats suite (PR #98 review).
CLAUDE.md and GEMINI.md previously stated 'no test suite' in the Repository Purpose / Repository Context sections. The repo does have a Bats test suite under tests/ (covered by .github/workflows/shell-tests.yml), so the statement was misleading agents about validation steps. Narrows the statement to 'no Python package' and points to the Bats suite (PR #98 review).
CLAUDE.md and GEMINI.md previously stated 'no test suite' in the Repository Purpose / Repository Context sections. The repo does have a Bats test suite under tests/ (covered by .github/workflows/shell-tests.yml), so the statement was misleading agents about validation steps. Narrows the statement to 'no Python package' and points to the Bats suite (PR #98 review).
* fix(workflow-templates): correct fips-compatibility reusable path and cifuzzy SHA tag - python-fips-compatibility.yml: add missing .github/ path segment so the starter template resolves the reusable workflow at the actual location (ByronWilliamsCPA/.github/.github/workflows/python-fips-compatibility.yml); the previous path pointed to a non-existent file at repo root and would fail to load (PR #70, #94 review). - python-cifuzzy.yml: change the SHA comment for github/codeql-action/upload-sarif from '# v4' to '# v4.35.4' to match every other usage of the same SHA in this repo (PR #103 review). * docs(workflows): add system-deps inputs to python-compatibility table Adds system-deps-ubuntu, system-deps-macos, and system-deps-windows rows to the inputs table so the caller-facing documentation matches the actual workflow_call interface (PR #105 review). * docs(community): route vulnerability reports to private channels - profile/README.md: link to the GitHub Security Advisory creation form (/security/advisories/new) instead of the advisories list page, so reporters land directly on the private submission UI (PR #104 review). - SUPPORT.md: split the Contact section into general inquiries (Issues or Discussions) and security vulnerabilities (private reporting via Security Advisories), so the broad 'all inquiries' wording no longer routes vulnerability reports to public channels (PR #104 review). * docs(agents): clarify that the Bats test suite under tests/ exists CLAUDE.md and GEMINI.md previously stated 'no test suite' in the Repository Purpose / Repository Context sections. The repo does have a Bats test suite under tests/ (covered by .github/workflows/shell-tests.yml), so the statement was misleading agents about validation steps. Narrows the statement to 'no Python package' and points to the Bats suite (PR #98 review). * docs(changelog): record fips path and cifuzzy SHA tag fixes Adds two entries under [Unreleased] Fixed to surface the workflow-templates fixes already on this branch so downstream consumers know to re-copy the starter templates after the fips path correction. * docs(agents): scope Bats coverage claim to update-pinned-actions.sh The previous wording 'covers the shell scripts in scripts/' implied broader validation than exists; only update-pinned-actions.bats runs, covering one of the six shell scripts in scripts/. Names the specific covered script and notes that the others are not yet tested. * docs(workflows): fill default cells for system-deps inputs The three system-deps-{ubuntu,macos,windows} rows had empty Default cells, while every other row in the table specifies an explicit backtick-quoted default. The workflow YAML has no default: key for these inputs, so the actual default is the empty string; '' makes the table uniform and removes ambiguity between 'no documented default' and 'unset'. * docs(workflows): add no-build input row to python-compatibility table The docs table did not list the public no-build boolean input (default true) added by PR #112; consumers had no way to discover how to opt out of --no-build for projects with a build backend like hatchling. Inserted in canonical YAML order after the system-deps-windows row. --------- Co-authored-by: Claude <noreply@anthropic.com>
Summary
.claude/CLAUDE.mdwith Model Selection section, RAD cross-reference, and writing rules (CLAUDE-001 through CLAUDE-006).claude/settings.jsonwith explicit allow/deny permission blocks (CLAUDE-002)AGENTS.mdwith agent catalog and model assignment table (CLAUDE-003)GEMINI.mdwith repo context stub (CLAUDE-004)docs/known-vulnerabilities.mdwith empty baseline (FOUND-007)docs/architecture/with ADR index and ADR-001 documenting the scorecard publish_results decision (FOUND-008)Test plan
grep -c "Model Selection" .claude/CLAUDE.mdreturns 1grep -c "response-aware-development" .claude/CLAUDE.mdreturns 1python3 -c "import json; json.load(open('.claude/settings.json'))"exits 0ls AGENTS.md GEMINI.md docs/known-vulnerabilities.md docs/architecture/adr-000-index.mdall succeedGenerated with Claude Code