chore(hygiene): bootstrap SECURITY, CHANGELOG, CONTRIBUTING, CODEOWNERS#22
Merged
KooshaPari merged 1 commit intomainfrom Apr 24, 2026
Merged
chore(hygiene): bootstrap SECURITY, CHANGELOG, CONTRIBUTING, CODEOWNERS#22KooshaPari merged 1 commit intomainfrom
KooshaPari merged 1 commit intomainfrom
Conversation
…WNERS (audit #120)
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
the
size:M
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| ## Local quality gates | ||
| - Go: `cd backend/byteport && go build ./... && go test ./...` | ||
| - Rust (Tauri): `cd frontend/web/src-tauri && cargo fmt --check && cargo clippy --all-targets -- -D warnings && cargo test` | ||
| - Node (SvelteKit): `cd frontend/web && (bun install && bun run build) || (pnpm install && pnpm run build)` |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The Node local quality gate instructs contributors to use Bun or PNPM (bun install && bun run build or pnpm install && pnpm run build), while the SvelteKit frontend is explicitly configured to use Yarn (packageManager: "yarn@..." with a yarn.lock). This contradicts the actual project configuration and will mislead contributors about the supported package manager.
Suggestion: Update the Node quality gate to use the repo's configured primary package manager (Yarn, matching packageManager and yarn.lock), optionally documenting one consistent fallback if truly supported.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** CONTRIBUTING.md
**Line:** 12:12
**Comment:**
*HIGH: The Node local quality gate instructs contributors to use Bun or PNPM (`bun install && bun run build` or `pnpm install && pnpm run build`), while the SvelteKit frontend is explicitly configured to use Yarn (`packageManager: "yarn@..."` with a `yarn.lock`). This contradicts the actual project configuration and will mislead contributors about the supported package manager.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| Types: feat, fix, chore, docs, refactor, test, ci, perf. | ||
|
|
||
| ## Governance | ||
| See CLAUDE.md for agent rules + AGENTS.md for hub context. |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
CONTRIBUTING.md directs contributors to AGENTS.md for "hub context", but no AGENTS.md file exists anywhere in the repository, leaving a dead reference in a core governance section.
Suggestion: Either add an AGENTS.md file with the intended hub context or remove/replace this reference with an existing, maintained document.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** CONTRIBUTING.md
**Line:** 19:19
**Comment:**
*HIGH: CONTRIBUTING.md directs contributors to `AGENTS.md` for "hub context", but no `AGENTS.md` file exists anywhere in the repository, leaving a dead reference in a core governance section.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix|
|
||
| ## Governance | ||
| See CLAUDE.md for agent rules + AGENTS.md for hub context. | ||
| Never commit secrets; pre-commit hook runs trufflehog. |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The governance section states that a pre-commit hook runs trufflehog, but the repo contains no pre-commit configuration or hook scripts invoking trufflehog (only Git's default .sample hooks), so this documented security control does not actually exist.
Suggestion: Either add a real pre-commit hook configuration that runs trufflehog (e.g., via .pre-commit-config.yaml or a Husky hook) or reword the statement as a recommendation rather than an existing enforced hook.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** CONTRIBUTING.md
**Line:** 20:20
**Comment:**
*HIGH: The governance section states that a pre-commit hook runs trufflehog, but the repo contains no pre-commit configuration or hook scripts invoking trufflehog (only Git's default `.sample` hooks), so this documented security control does not actually exist.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
KooshaPari
pushed a commit
that referenced
this pull request
Apr 24, 2026
Supersedes 0.31.0 bump. 0.35.0 is the first patched version covering both the critical GHSA-v778-237x-gjrc and the high-severity GHSA-hcg3-q754-cr77 advisories across all 4 go.mod manifests: - backend/byteport/go.mod - backend/nvms/go.mod - backend/nvms/Demonstrator/go.mod - backend/nvms/Provisioner/go.mod Resolves Dependabot alerts: CRIT: #16, #20, #22, #24 (GHSA-v778-237x-gjrc) HIGH: #18, #21, #23, #25 (GHSA-hcg3-q754-cr77) Verified via go build ./... in each module. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2 tasks
KooshaPari
added a commit
that referenced
this pull request
Apr 24, 2026
…fixes) (#19) * chore(deps): bump golang.org/x/crypto to 0.31.0 (4 CRIT CVE fixes) Fixes 4 CRITICAL Dependabot alerts (< 0.31.0) across the 4 backend Go modules. Transitively upgrades golang.org/x/sys to 0.28.0 and golang.org/x/text to 0.21.0 via go mod tidy. Modules updated: - backend/byteport: v0.29.0 -> v0.31.0 (direct) - backend/nvms: v0.28.0 -> v0.31.0 (indirect) - backend/nvms/Demonstrator: v0.28.0 -> v0.31.0 (indirect) - backend/nvms/Provisioner: v0.28.0 -> v0.31.0 (indirect) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(deps): bump golang.org/x/crypto to 0.35.0 (4 CRIT + 4 HIGH CVEs) Supersedes 0.31.0 bump. 0.35.0 is the first patched version covering both the critical GHSA-v778-237x-gjrc and the high-severity GHSA-hcg3-q754-cr77 advisories across all 4 go.mod manifests: - backend/byteport/go.mod - backend/nvms/go.mod - backend/nvms/Demonstrator/go.mod - backend/nvms/Provisioner/go.mod Resolves Dependabot alerts: CRIT: #16, #20, #22, #24 (GHSA-v778-237x-gjrc) HIGH: #18, #21, #23, #25 (GHSA-hcg3-q754-cr77) Verified via go build ./... in each module. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Forge <forge@phenotype.dev> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Tier-2 hygiene bootstrap per audit #120. Adds all 4 missing hygiene files. Stack: Go + Rust (Tauri) + Node (SvelteKit).
Note
Low Risk
Documentation-only changes that affect contribution process and review routing but do not alter runtime code paths.
Overview
Bootstraps repo hygiene by adding
CHANGELOG.md,CONTRIBUTING.md, andSECURITY.mdwith initial scaffolding for release notes, contribution/quality-gate expectations, and vulnerability reporting/response timelines.Adds a
CODEOWNERSfile to route all changes (and key language globs) to a default owner for review.Reviewed by Cursor Bugbot for commit 414e406. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Add starter security, contribution, changelog, and review ownership docs
What Changed
Impact
✅ Clearer security reporting✅ Faster contributor onboarding✅ Consistent review routing🔄 Retrigger CodeAnt AI Review
Details
💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.