chore: migrate to HodeTech org + ignore new nightly CVE

[cemililik]

Summary

Two related housekeeping changes that both target main via development:

1. Org migration — the project moved to the HodeTech GitHub organization (github.com/HodeTech/ForgeLM). Updates every reference project-wide (271 refs / 99 files, 1:1 string replacements).
2. Nightly CVE ignore — adds transformers PYSEC-2025-217 to the project ignore list so the daily nightly goes green again.

1. Org migration

Category	Change
Repo URLs (256)	github.com/cemililik/ForgeLM → github.com/HodeTech/ForgeLM (README badges, pyproject.toml [project.urls], docs, user manuals EN+TR, notebooks, site/, CHANGELOG, CONTRIBUTING, issue-template, forgelm/model_card.py, standards, roadmap)
GHCR image (12)	ghcr.io/cemililik/forgelm → ghcr.io/hodetech/forgelm (lowercase namespace)
Contact email	ai-team@cemililik.com → forgelm@hodetech.io (CODE_OF_CONDUCT.md)
SonarCloud	organization=hodetech, projectKey=HodeTech_ForgeLM (sonar-project.properties)

git grep cemililik → 0 remaining. Guards green: anchor resolution, bilingual parity, user-manual self-contained, CLI help consistency, site-version, site-claims. ruff clean; model_card tests pass.

2. Nightly CVE ignore (transformers PYSEC-2025-217)

The new --ignores tools/pip_audit_ignores.yaml mechanism works on main (the run log shows CVE-2026-1839 correctly suppressed), but a fresh no-fix advisory dropped:

• PYSEC-2025-217 (CVE-2025-14929) — transformers X-CLIP checkpoint-conversion deserialization RCE. CVSS AV:L/UI:R (local + user must open a malicious checkpoint), affected through 5.0.0rc0, no fix in the pinned 4.x line.
• Same threat-model carve-out as the existing transformers/torch deserialization ignores: operators are documented as required to load only trusted checkpoints, and ForgeLM does not invoke X-CLIP checkpoint conversion.
• One-line data change in the ignore YAML — no workflow edit, exactly the maintainability win the PR fix(supply-chain): ignore 10 no-fix CVEs that broke nightly 2026-05-21 #59 review asked for.

The ignore-file loader self-validates (tools/check_pip_audit.py --ignores); 23 tests pass.

Repo-side follow-ups (not in this diff)

• SonarCloud project under the hodetech org with key HodeTech_ForgeLM; re-add SONAR_TOKEN secret if not inherited (repo currently lists no Actions secrets).
• GHCR package visibility / publish workflow under the new org.
• GitHub repo description is empty.

Closes #58

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Updated GitHub organization from cemililik → HodeTech across docs, configs, badges, site metadata, and project URLs
  • Updated container registry paths to ghcr.io/hodetech/forgelm
  • Updated SonarQube project metadata

• Documentation

  • Updated all documentation, notebooks, site pages and guides to point to the new repository and adjusted release/changelog links
  • Clarified pro-tier feature timelines and availability
  • Updated contact and privacy information on the site

• Security

  • Added a vulnerability ignore entry for the transformers package

[cemililik]

@coderabbitai review all

[coderabbitai]

@cemililik Sure! I'll kick off a full review of all the changes in this PR right away.

✅ Actions performed

Full review triggered.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 08989efe-1028-440d-83fe-2661c6fc18de

📥 Commits

Reviewing files that changed from the base of the PR and between 0613f80 and 009eec3.

📒 Files selected for processing (4)

• docs/usermanuals/en/deployment/chat.md
• docs/usermanuals/tr/deployment/chat.md
• site/js/translations.js
• tools/pip_audit_ignores.yaml

---

📝 Walkthrough

Walkthrough

This PR replaces repository/registry/organization references from cemililik/ForgeLM to HodeTech/ForgeLM across docs, site, notebooks, CI, project metadata, and adds a pip-audit ignore entry plus deployment-note and exit-code clarifications.

Changes

Repository & CI migration

Layer / File(s)	Summary
Agent skills and nightly workflow .agents/..., .claude/..., .github/workflows/nightly.yml	Updated announce and documentation-sync skill templates and nightly notebook validation to reference HodeTech/ForgeLM.
GitHub templates & project metadata .github/ISSUE_TEMPLATE/config.yml, pyproject.toml, sonar-project.properties, CODE_OF_CONDUCT.md	Updated contact links, project URLs, Sonar identifiers, and enforcement contact email to HodeTech/hodetech.

Documentation & manuals

Layer / File(s)	Summary
README and contributor guides README.md, CONTRIBUTING.md	Updated CI badge, Colab links, clone commands, contributor links, and upstream remote to HodeTech/ForgeLM.
Changelog and release notes CHANGELOG.md, docs/roadmap/releases.md	Repointed issue links, release tag URLs, and version-compare links to HodeTech.
Quickstart & references docs/guides/quickstart*.md, docs/reference/usage*.md	Updated git clone, LICENSES/template links, and SyntheticConfig cross-references to HodeTech.
Compliance & governance docs docs/usermanuals/**/compliance/*	Repointed Audit Event Catalog, QMS, deployer, and segregation-of-duties links to HodeTech across languages.
Operations, data & deployment docs docs/usermanuals/**/operations/*, docs/usermanuals/**/deployment/*	Updated GHCR image references to ghcr.io/hodetech/forgelm, roadmap links, and cross-references across EN/TR docs.
Standards & references docs/standards/*, docs/usermanuals/**/reference/*	Updated code-review scope, documentation examples, exit-codes contract text, JSON output links, library API and performance references.

Code, notebooks, model card

Layer / File(s)	Summary
Model card & notebooks forgelm/model_card.py, notebooks/*.ipynb	Changed model-card attribution URL, Colab badges, wget/git fallbacks, and "Where next" links to HodeTech/ForgeLM.

Website & translations

Layer / File(s)	Summary
Site pages & config site/*.html, site/js/guide.js, site/README.md	Updated JSON-LD sameAs, CTA/footer community links, guide edit-base, and site README fork instructions to HodeTech.
Translations & privacy site/js/translations.js	Updated compliance cookbook links for multiple locales and rewrote privacy.body across languages to detail third-party requests, localStorage keys, and rights language.

Feature notes & contracts

Layer / File(s)	Summary
Chat deployment feature notes docs/usermanuals/*/deployment/chat.md	Clarified that forgelm chat --safety and chat-compare are v0.6.0+ Pro previews and not currently runnable; current workflows described as previews.
Exit code public contract docs/usermanuals/*/reference/exit-codes.md	Documented the public exit-code contract and clamping behavior to EXIT_TRAINING_ERROR (2).

Security vulnerability management

Layer / File(s)	Summary
Pip-audit ignore entry tools/pip_audit_ignores.yaml	Added ignore for PYSEC-2025-217 / CVE-2025-14929 (transformers) including reason, threat model, verified_at, and reevaluate policy.

• Estimated code review effort: 🎯 2 (Simple) | ⏱️ ~12 minutes

• Possibly related PRs:

  • HodeTech/ForgeLM#19: similar nightly workflow notebook-validation grep changes blocking specific git+https ForgeLM installs.
  • HodeTech/ForgeLM#60: related pip-audit ignores and tooling changes around pip-audit suppressions.

"A rabbit in the repo hops with cheer,
Links remapped from old to new frontier,
Docs, notebooks, site all made neat,
Privacy and CI now complete,
Hops of HodeTech — progress is here!"

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: migrate to HodeTech org + ignore new nightly CVE' accurately summarizes the two main changes: organization migration and CVE ignore addition.
Description check	✅ Passed	The PR description is comprehensive, detailing both the org migration (with categorized changes, verification steps, file counts) and CVE ignore rationale, meeting most template sections despite lacking explicit Type checkbox and Testing verification marks.
Linked Issues check	✅ Passed	The PR addresses issue #58 by adding a CVE ignore entry to restore nightly CI. The org migration (271 refs/99 files) is a supporting housekeeping change to complete the GitHub organization transition.
Out of Scope Changes check	✅ Passed	The 271 string replacements for org migration and the single CVE ignore entry are directly scoped to addressing issue #58 (nightly CI failure) and completing an organizational transition; no unrelated changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch development

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ast-grep (0.42.3)

site/js/translations.js

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

docs/usermanuals/en/deployment/chat.md (1)

110-110: ⚡ Quick win

Misleading equivalence between chat-compare and benchmark-only.

The note states "Today the same comparison runs through forgelm --benchmark-only", but the --benchmark-only mode runs lm-evaluation-harness benchmark tasks (forgelm/cli/_no_train_modes.py:1-140), which is fundamentally different from the side-by-side chat prompt comparison shown in lines 113-119. Consider revising to acknowledge that no direct equivalent exists today, or clarify that operators must manually run benchmarks separately on each model and compare the judge results themselves (which is a different workflow from the planned dedicated UX).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/usermanuals/en/deployment/chat.md` at line 110, The note incorrectly
implies feature parity between the planned chat-compare subcommand and the
existing --benchmark-only mode; update the text to state that chat-compare
provides an interactive side-by-side chat prompt comparison while
--benchmark-only (see forgelm/cli/_no_train_modes.py) runs lm-evaluation-harness
benchmarks and requires manually running benchmarks per checkpoint and
aggregating judge results, so operators must currently run and compare results
themselves rather than getting the planned dedicated UX.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/usermanuals/en/deployment/chat.md`:
- Around line 66-68: Resolve two issues: pick one consistent flag form (e.g.,
use "--safety" or "--safety on" everywhere) and update the paragraph to use that
chosen form; and clarify the current v0.5.5 behavior by either (A) describing
the exact binding workflow (pointing readers to the chat subcommand parser in
forgelm/cli/_parser.py and specifying which config file/key to set and how the
runner must load it) or (B) explicitly state that on v0.5.5 the CLI does not
support per-turn safety screening and that the YAML safety: enabled: true entry
is only read by certain runners (name them) — do not claim a binding mechanism
exists unless you spell out the exact steps referencing forgelm/cli/_parser.py.

In `@site/js/translations.js`:
- Line 4345: The privacy copy currently hardcodes "pip install forgelm==0.5.5"
in the "privacy.body" locale string (and the same hardcoded version appears in
the sibling privacy locale entries noted in the comment); change this to avoid a
stale pinned version by either removing the "==0.5.5" (use "pip install
forgelm") or replace it with a template/variable (e.g., "{FORGELM_PIP}" or
"{siteVersion}") that the site build injects so the install line is maintained
site-wide and updated from a single source; locate and update the string key
"privacy.body" (and the other privacy locale keys mentioned) to use the
non-hardcoded form.

In `@tools/pip_audit_ignores.yaml`:
- Around line 51-69: Update the PYSEC-2025-217 ignore entry (id: PYSEC-2025-217,
package: transformers) to match advisory wording: state CVE-2025-14929 with CVSS
vector including AV:L and UI:R, remove the unverified phrase "affected through
5.0.0rc0" and instead say "no fixed version announced for the 4.x line" (or
mirror the advisory language about lack of a fix), and adjust the
reevaluate_after criteria accordingly; additionally perform and document a
codebase check to confirm the threat-model claim by searching for usages of
X-CLIP checkpoint conversion paths (search for identifiers/strings such as
"X-CLIP", "checkpoint conversion", "pt2 loader", and any direct "torch.load"
checkpoint-loading sites) and record the result in the entry.

---

Nitpick comments:
In `@docs/usermanuals/en/deployment/chat.md`:
- Line 110: The note incorrectly implies feature parity between the planned
chat-compare subcommand and the existing --benchmark-only mode; update the text
to state that chat-compare provides an interactive side-by-side chat prompt
comparison while --benchmark-only (see forgelm/cli/_no_train_modes.py) runs
lm-evaluation-harness benchmarks and requires manually running benchmarks per
checkpoint and aggregating judge results, so operators must currently run and
compare results themselves rather than getting the planned dedicated UX.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3115152d-2066-4049-a433-0504b4e6c23f

📥 Commits

Reviewing files that changed from the base of the PR and between a2bdb82 and 0613f80.

📒 Files selected for processing (100)

• .agents/skills/cut-release/SKILL.md
• .agents/skills/sync-bilingual-docs/SKILL.md
• .claude/skills/cut-release/SKILL.md
• .claude/skills/sync-bilingual-docs/SKILL.md
• .github/ISSUE_TEMPLATE/config.yml
• .github/workflows/nightly.yml
• CHANGELOG.md
• CODE_OF_CONDUCT.md
• CONTRIBUTING.md
• README.md
• docs/guides/quickstart-tr.md
• docs/guides/quickstart.md
• docs/guides/troubleshooting-tr.md
• docs/guides/troubleshooting.md
• docs/reference/usage-tr.md
• docs/reference/usage.md
• docs/roadmap/releases.md
• docs/roadmap/risks-and-decisions.md
• docs/standards/code-review.md
• docs/standards/documentation.md
• docs/usermanuals/en/compliance/annex-iv.md
• docs/usermanuals/en/compliance/audit-log.md
• docs/usermanuals/en/compliance/gdpr-erasure.md
• docs/usermanuals/en/compliance/gdpr.md
• docs/usermanuals/en/compliance/human-approval-gate.md
• docs/usermanuals/en/compliance/overview.md
• docs/usermanuals/en/compliance/verify-audit.md
• docs/usermanuals/en/data/deduplication.md
• docs/usermanuals/en/data/pii-masking.md
• docs/usermanuals/en/deployment/chat.md
• docs/usermanuals/en/deployment/model-merging.md
• docs/usermanuals/en/deployment/verify-gguf.md
• docs/usermanuals/en/evaluation/trend-tracking.md
• docs/usermanuals/en/getting-started/installation.md
• docs/usermanuals/en/operations/docker.md
• docs/usermanuals/en/operations/experiment-tracking.md
• docs/usermanuals/en/operations/gpu-cost.md
• docs/usermanuals/en/operations/iso-soc2-deployer.md
• docs/usermanuals/en/operations/supply-chain.md
• docs/usermanuals/en/operations/troubleshooting.md
• docs/usermanuals/en/operations/webhooks.md
• docs/usermanuals/en/reference/configuration.md
• docs/usermanuals/en/reference/exit-codes.md
• docs/usermanuals/en/reference/json-output.md
• docs/usermanuals/en/reference/library-api.md
• docs/usermanuals/en/reference/performance.md
• docs/usermanuals/en/reference/yaml-templates.md
• docs/usermanuals/tr/compliance/annex-iv.md
• docs/usermanuals/tr/compliance/audit-log.md
• docs/usermanuals/tr/compliance/gdpr-erasure.md
• docs/usermanuals/tr/compliance/gdpr.md
• docs/usermanuals/tr/compliance/human-approval-gate.md
• docs/usermanuals/tr/compliance/overview.md
• docs/usermanuals/tr/compliance/verify-audit.md
• docs/usermanuals/tr/data/deduplication.md
• docs/usermanuals/tr/data/pii-masking.md
• docs/usermanuals/tr/deployment/chat.md
• docs/usermanuals/tr/deployment/model-merging.md
• docs/usermanuals/tr/deployment/verify-gguf.md
• docs/usermanuals/tr/evaluation/trend-tracking.md
• docs/usermanuals/tr/getting-started/installation.md
• docs/usermanuals/tr/operations/docker.md
• docs/usermanuals/tr/operations/experiment-tracking.md
• docs/usermanuals/tr/operations/gpu-cost.md
• docs/usermanuals/tr/operations/iso-soc2-deployer.md
• docs/usermanuals/tr/operations/supply-chain.md
• docs/usermanuals/tr/operations/troubleshooting.md
• docs/usermanuals/tr/operations/webhooks.md
• docs/usermanuals/tr/reference/configuration.md
• docs/usermanuals/tr/reference/exit-codes.md
• docs/usermanuals/tr/reference/json-output.md
• docs/usermanuals/tr/reference/library-api.md
• docs/usermanuals/tr/reference/performance.md
• docs/usermanuals/tr/reference/yaml-templates.md
• forgelm/model_card.py
• notebooks/data_curation.ipynb
• notebooks/dpo_alignment.ipynb
• notebooks/galore_memory_optimization.ipynb
• notebooks/grpo_reasoning.ipynb
• notebooks/ingestion_playground.ipynb
• notebooks/kto_binary_feedback.ipynb
• notebooks/multi_dataset.ipynb
• notebooks/post_training_workflow.ipynb
• notebooks/quickstart_sft.ipynb
• notebooks/safety_evaluation.ipynb
• notebooks/synthetic_data_training.ipynb
• pyproject.toml
• site/README.md
• site/compliance.html
• site/contact.html
• site/features.html
• site/guide.html
• site/index.html
• site/js/guide.js
• site/js/translations.js
• site/privacy.html
• site/quickstart.html
• site/terms.html
• sonar-project.properties
• tools/pip_audit_ignores.yaml