release: development → main — Phase 22 wizard modernisation + site honesty pass-5

.claude/skills/cut-release/SKILL.md

@@ -174,7 +174,8 @@ If the install fails or returns the wrong version, investigate the workflow run.
 
 ### 1. Announce
 
-Template in [docs/marketing/05_content_strategy.md](../../../docs/marketing/05_content_strategy.md) under "New Release":
+Use this template (the maintainer keeps a longer canonical version in
+local working memory; the spirit is the same):
 
 ```
 📦 ForgeLM v0.4.0 released!
@@ -205,7 +206,10 @@ git push
 
 ### 3. Update marketing roadmap metrics
 
-[`docs/marketing/marketing_strategy_roadmap.md`](../../../docs/marketing/marketing_strategy_roadmap.md) — metrics row for the release month.
+The maintainer keeps a marketing roadmap in local working memory
+(gitignored).  Add a metrics row for the release month there as part
+of the release-day checklist; nothing on the public surface needs to
+change.
 
 ### 4. Close the phase (if applicable)
 

.claude/skills/sync-bilingual-docs/SKILL.md

@@ -17,12 +17,15 @@ Any change to these paths or their siblings:
 
 Do **not** use for:
 - `docs/standards/*` (English only)
-- `docs/marketing/*` (local-only, mixed)
-- `docs/analysis/*` (whichever language suits the source)
+- `docs/marketing/*` (gitignored working-memory; mixed languages)
 - `docs/qms/*` (English only)
 - `docs/design/*` (English only)
 - `docs/guides/*` (English only for now — Turkish is future work)
 
+Do **not** reference any file under gitignored working-memory directories
+(`docs/marketing/`, `docs/analysis/`) from the bilingual docs you edit —
+those paths are local-only and won't resolve in fresh clones.
+
 ## Required reading
 
 1. [docs/standards/localization.md](../../../docs/standards/localization.md) — the full policy

.codacy.yaml

@@ -0,0 +1,24 @@
+# Codacy configuration — exclusion paths for generated artefacts.
+#
+# The exclusions below pin two categories that produce false-positive
+# Codacy findings for this project:
+#
+# 1. ``site/js/wizard_defaults.js`` is a build-time artefact emitted by
+#    ``tools/generate_wizard_defaults.py`` from Pydantic field defaults
+#    flagged with ``json_schema_extra={"wizard": True}`` (F1 review-cycle 3).
+#    PMD's ``InaccurateNumericLiteral`` rule flags scientific notation
+#    like ``2e-05``; the value comes from Python's ``json.dumps`` which
+#    chooses scientific notation for small floats — and the JS consumer
+#    canonicalises with ``Number.toExponential()`` so precision is never
+#    operator-visible.  The CI guard
+#    ``tools/check_wizard_defaults_sync.py`` already verifies the
+#    generated content matches the schema byte-for-byte; secondary
+#    static analysis adds no signal.
+#
+# 2. ``forgelm/wizard/_defaults.json`` — same generator output for the
+#    Python consumer.  Plain JSON, no analysis applies.
+#
+# Codacy's analysis YAML format mirrors GitHub Actions' path globs.
+exclude_paths:
+  - site/js/wizard_defaults.js
+  - forgelm/wizard/_defaults.json

.github/workflows/nightly.yml

@@ -258,7 +258,25 @@ jobs:
         run: |
           # pip-audit returns non-zero on any finding; capture the JSON
           # and apply our own severity policy via tools/check_pip_audit.py.
-          pip-audit --format json --output /tmp/pip-audit.json || true
+          #
+          # Vulnerability ignores (each ignore must carry a written
+          # justification + remove-after condition; review at every
+          # release cycle).  Issue #37 tracks the active set.
+          #
+          # CVE-2026-1839 — transformers, fix: 5.0.0rc3 (release candidate).
+          # ForgeLM's pyproject pins ``transformers>=4.38.0,<5.0.0`` and
+          # the 5.x branch is a major version bump that breaks downstream
+          # callers (TRL adapter signature changes + tokenizer-config
+          # API drift).  The CVE has no 4.x backport at the time of
+          # ignore (verified 2026-05-10).  Stop-gap until either (a)
+          # transformers ships a 4.x point release with the fix or
+          # (b) ForgeLM cuts a tracked major-version-bump cycle that
+          # raises the upper bound.  Re-evaluate at each release.
+          pip-audit \
+              --format json \
+              --output /tmp/pip-audit.json \
+              --ignore-vuln CVE-2026-1839 \
+              || true
           python3 tools/check_pip_audit.py /tmp/pip-audit.json
 
       - name: bandit (static security analysis)

.gitignore

@@ -1,33 +1,9 @@
-# Internal strategy, marketing, and analysis docs (not public)
+# Gitignored working-memory directories — local-only PR-cycle audit
+# notes, external-repo comparisons, drafts.  See
+# ``docs/standards/documentation.md`` ("Working-memory directories")
+# for the rule: no public-doc / production-code references allowed.
 docs/marketing/
 docs/analysis/
-# Explicit exceptions: a small set of v0.5.5-closure planning artifacts
-# is exposed publicly (referenced from closure PRs and the roadmap). The
-# rest of docs/analysis/** stays internal — including all subdirectories
-# (QKV-Core, Trion, autoresearch, proposals, ...) and every other file
-# under code_reviews/.
-#
-# Pattern explanation:
-#   1. docs/analysis/ — ignore everything under this dir
-#   2. !docs/analysis/ — re-allow the directory itself (so we can descend)
-#   3. docs/analysis/* — ignore every direct entry (subdirs + files)
-#   4. !docs/analysis/code_reviews/ — re-allow code_reviews/ subdir only
-#   5. docs/analysis/code_reviews/* — ignore every entry in code_reviews/
-#   6. !<three named files> — re-include the 3 closure planning artifacts
-!docs/analysis/
-docs/analysis/*
-!docs/analysis/code_reviews/
-docs/analysis/code_reviews/*
-!docs/analysis/code_reviews/closure-plan-202604300906.md
-!docs/analysis/code_reviews/master-review-opus-202604300906.md
-!docs/analysis/code_reviews/split-design-data_audit-cli-202604300906.md
-!docs/analysis/code_reviews/wave2b-final-merge-review-prompt.md
-!docs/analysis/code_reviews/wave3-review-prompt.md
-!docs/analysis/code_reviews/wave3-followup-review-prompt.md
-!docs/analysis/code_reviews/iso27001-soc2-alignment-202605052315.md
-!docs/analysis/code_reviews/wave4-review-prompt.md
-!docs/analysis/code_reviews/wave4-followup-review-prompt.md
-!docs/analysis/code_reviews/wave5-review-prompt.md
 
 # Generated by tools/build_usermanuals.py — produced from
 # docs/usermanuals/<lang>/**/*.md during the CI deploy. Not committed;

.markdownlint.json

@@ -2,7 +2,9 @@
   "//": "ForgeLM markdownlint policy. Consumed by Codacy's markdownlint scanner (loadbearing — without this config Codacy emits MD051 across every SPA hash-router link in docs/usermanuals/).",
   "//1": "MD051 (link-fragments-valid): docs use SPA hash-router routes like `#/data/audit` for in-app navigation; markdownlint's anchor-resolution doesn't understand SPA conventions and would flag every cross-reference.",
   "//2": "MD014 (commands-show-output): shell examples in operator docs deliberately show only the command (`$ forgelm audit ...`) without sample output — output snippets rot quickly across versions and would force a doc update on every CLI banner change.",
+  "//3": "MD013 (line-length): bilingual (EN+TR) reference + design docs intentionally carry long lines for paragraph-style explanations, table cells, and prose with long inline links. The 80-col limit is a code-style holdover that hurts readability of documentation; the project's bilingual_parity guard already enforces structural alignment, and the rest of the prose stays human-readable at any reasonable width.",
   "default": true,
   "MD051": false,
-  "MD014": false
+  "MD014": false,
+  "MD013": false
 }