Release v8.0.0: Compound Operations, Streaming & Reliability #100
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ance (#73) * feat(envelope): wire up ConfidenceFactors and CacheInfo in FromProvenance v8.0: Actually populate the confidence factors and cache info that were added in #71 but not wired up. Changes: - generateConfidenceFactors() creates factors from backend contributions - Each backend gets a factor with status (available/unavailable) and impact - SCIP backend has higher impact (+0.3/-0.2) than other backends (+0.1/-0.05) - Repo state (clean/dirty) also included as a factor - CacheInfo populated when CachedAt is present in provenance - Added ConfidenceFactor type and Factors field to Confidence struct - Added CacheInfo type and Cache field to Meta struct - Comprehensive tests for all scenarios 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * ci: run checks on PRs to feature/** branches 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix: gofmt and flaky TestFormatAge test - Fix gofmt alignment in builder_test.go struct fields - Fix TestFormatAge flaky test that failed on year boundaries (AddDate(0, -1, -1) on Jan 1 goes to Nov 30, causing 2-month gap) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Lisa <lisa.welsch1985@gmail.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
v8.0 completion: Add remaining pieces from original confidence wiring work. CacheInfo additions: - Key field for cache key debugging - Stale field for stale-while-revalidate scenarios New builder methods: - WithConfidenceFactors() - manually set confidence factors - WithCache(hit, age, stale) - set cache info directly - WithCacheInfo(cache) - set cache from struct 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Lisa <lisa.welsch1985@gmail.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
#65) Bumps @tastehub/ckb-darwin-arm64 from 7.4.0 to 7.5.0. --- updated-dependencies: - dependency-name: "@tastehub/ckb-darwin-arm64" dependency-version: 7.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps @tastehub/ckb-linux-x64 from 7.4.0 to 7.5.0. --- updated-dependencies: - dependency-name: "@tastehub/ckb-linux-x64" dependency-version: 7.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps @tastehub/ckb-win32-x64 from 7.4.0 to 7.5.0. --- updated-dependencies: - dependency-name: "@tastehub/ckb-win32-x64" dependency-version: 7.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the go-deps group with 1 update: [modernc.org/sqlite](https://gitlab.com/cznic/sqlite). Updates `modernc.org/sqlite` from 1.41.0 to 1.42.2 - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.41.0...v1.42.2) --- updated-dependencies: - dependency-name: modernc.org/sqlite dependency-version: 1.42.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Updates @tastehub/ckb-darwin-x64 and @tastehub/ckb-linux-arm64 from 7.4.0 to 7.5.0, completing the platform binary updates started by Dependabot PRs #65-69. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Re-implements v8.0 reliability features that were lost when PR #71 was reverted. These features focus on error clarity and actionable guidance. New error codes (internal/errors/errors.go): - AMBIGUOUS_QUERY, PARTIAL_RESULT, INVALID_PARAMETER - RESOURCE_NOT_FOUND, PRECONDITION_FAILED, OPERATION_FAILED - Convenience constructors for each error type New reindex tool (internal/mcp/tool_impls_v80.go): - Check index freshness and provide remediation guidance - Scope options: full or incremental - Added to ops preset Enhanced getStatus: - overallHealth field with tiers: available/degraded/unavailable - Per-backend healthTier and remediation messages - Auto-generated suggestions array based on system state Streaming design doc (docs/streaming-design.md): - SSE-based streaming architecture for CKB 8.2 - Chunking strategy, backpressure handling, MCP protocol extension 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Lisa <lisa.welsch1985@gmail.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Consolidates implementation plans for v8.0, v8.1, and v8.2: - v8.0: Foundation (health, errors, confidence transparency) - v8.1: Compound operations (explore, understand, prepareChange) - v8.2: Streaming (SSE for large results) Includes specs, success metrics, and implementation order. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Move implemented features to Completed section: - Enhanced getStatus with health tiers (#75) - reindex tool (#75) - Structured error codes (#75) - Streaming design doc (#75) Only remaining v8.0 item: error audit across tool handlers. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace all fmt.Errorf calls in MCP tool handlers with structured CkbError constructors for consistent, actionable error responses. Uses v8.0 error constructors: - NewInvalidParameterError for parameter validation - NewOperationError for operation failures - NewResourceNotFoundError for missing resources - NewPreconditionError for unmet preconditions Files updated: - tool_impls.go (39 replacements) - tool_impls_daemon.go - tool_impls_multirepo.go - tool_impls_v62.go through v73_remote.go 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Lisa <lisa.welsch1985@gmail.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat(mcp): add v8.0 compound tools for AI workflow optimization (#77) Add 5 compound tools that reduce AI tool calls by 60-70%: - `explore`: Area exploration (file/dir/module) with key symbols, dependencies, hotspots - `understand`: Symbol deep-dive with ambiguity handling and grouped references - `prepareChange`: Pre-change impact + risk assessment with test coverage info - `batchGet`: Retrieve multiple symbols by ID in one call (max 50) - `batchSearch`: Multiple symbol searches in one call (max 10) These compound tools coexist with granular tools. Granular tools remain for specific queries; compound tools optimize AI workflows by aggregating multiple queries. Files: - internal/query/compound.go: Core implementation - internal/mcp/tool_impls_compound.go: MCP handlers - internal/mcp/tools.go: Tool definitions - internal/mcp/presets.go: Added to core preset (19 tools) - internal/query/compound_test.go: Tests 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(query): address golangci-lint nilerr and gofmt issues - Add nolint:nilerr directives to filepath.Walk callbacks that intentionally skip inaccessible files - Fix gofmt formatting 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(query): resolve all staticcheck SA5011 warnings in compound tests - Add explicit return after t.Fatal() to help linter understand control flow - Fix empty branch SA9003 by removing unused conditional - Restructure nil checks to avoid false positive nil deref warnings 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Lisa <lisa.welsch1985@gmail.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat(streaming): add SSE streaming infrastructure for v8.0 Implement streaming support for MCP tools to provide real-time feedback for long-running operations. Tools can opt-in to streaming via stream: true parameter. Key additions: - internal/streaming/: Core streaming package - Stream type with event sending, heartbeat, context cancellation - Chunker for batching results by count or byte size - MCP notification writer for stream events - internal/mcp/streaming.go: StreamingHandler registry - internal/mcp/tool_impls_streaming.go: Streaming findReferences, searchSymbols Streaming protocol: - Initial response returns streamId - Chunks sent via MCP notifications (ckb/streamChunk) - Progress updates via ckb/streamProgress - Completion via ckb/streamComplete 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(streaming): add mutex for streamableTools to prevent race condition - Add sync.RWMutex to protect streamableTools map access - Fix type assertion error checks in tests (errcheck linter) - Fix gofmt formatting issues 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Lisa <lisa.welsch1985@gmail.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Complete error audit across MCP handlers. All raw fmt.Errorf calls are now replaced with appropriate CkbError constructors providing: - Structured error codes for programmatic handling - Suggested fixes and remediation steps - Consistent error formatting Files updated: - handler.go: 7 usages (parameter, resource, operation errors) - cursor.go: 6 usages (all invalid parameter errors) - resources.go: 5 usages (URI validation, resource not found) - server.go: 2 usages (precondition, invalid parameter) - transport.go: 4 usages (I/O operation errors) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Lisa <lisa.welsch1985@gmail.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* feat(cli): add global configuration and project switching Implement a two-tier configuration model for CKB that separates global state from project-specific state. This allows users to run `ckb status` from anywhere without creating local `.ckb/` folders, and easily switch between registered projects. New commands: - `ckb use [name]` - Switch active repository or show current - `ckb use --list` - List available repositories - `ckb repos` - Alias for `ckb repo list` Changes: - Add active repo resolution order: env var > flag > CWD > default - Update `ckb init` to register repos in global registry and set as active - Update `ckb status` to show global status when no active repo - Update engine_helper to use resolved repo instead of just CWD - Add symlink resolution for path matching (macOS /var -> /private/var) Key behaviors: - Running `ckb status` in ~/Downloads shows registered projects list - Running `ckb status` with an active repo shows detailed status - No `.ckb/` folders created unless running `ckb init` - CWD auto-activates if it matches a registered repo 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(cli): address review feedback for global config - Extract duplicate sorting logic to repos.SortByLastUsed() - Remove unused getRepoRootOrError function - Combine findRepoContainingPath loops into single pass - Pick most specific (longest path) match when multiple repos contain CWD - Add --json flag to ckb use for scripting - Add test for longest-path-wins edge case 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(cli): display active repo in status output The formatStatusHuman function was not rendering the ActiveRepo field. Now shows the active repository name, path, and resolution source (env, cwd, or default) at the top of status output. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * chore: bump version to 8.0.0 Update version across Go source, npm package, and documentation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(cli): add hint when running status from outside project When using the default repo from outside the project directory, backends fail because paths are resolved from CWD. Add a hint to the status output: "(default - run from project directory for full status)" 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(cli): remove repos alias command Simplifies the CLI surface by removing the `ckb repos` alias. Users can use `ckb repo list` directly. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * updated gitignore * fix(cli): require init before index, fix linter errors - index command now requires 'ckb init' first instead of auto-creating .ckb - Fix errcheck warnings for os.Chdir in resolve_test.go - Fix shadow warning for err variable in use.go 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Lisa <lisa.welsch1985@gmail.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* fix(cli): suppress log output in status command Status output already displays backend info in a nicely formatted way, so the raw log messages were redundant noise. Use silent logger with io.Discard to suppress logs during status. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat(cli): add top-level log command Add `ckb log` command for viewing CKB logs: - Shows last N lines (default 50) - Supports -f/--follow for tail -f behavior - Supports -n/--lines to customize line count - Shows helpful message when no logs exist 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(logging): migrate from internal/logging to log/slog - Create internal/slogutil package with custom CKB handler - Add global -v and -q flags to root command for verbosity control - Migrate all packages to use log/slog: - cmd/ckb (all CLI commands) - internal/api, internal/mcp, internal/query - internal/backends (scip, lsp, git) - internal/daemon, internal/telemetry - internal/federation, internal/identity - internal/storage and other internal packages - Update 46+ test files to use slog.New(slog.NewTextHandler(io.Discard, nil)) - Delete internal/logging package This is part of the v8.0 logging improvements to standardize on Go's standard library structured logging. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat(cli): add daemon status to ckb status output Show daemon running state (PID, port, uptime) directly in `ckb status` output, eliminating the need to run `ckb daemon status` separately. - Add DaemonStatusCLI struct to track daemon state - Query daemon /health endpoint for uptime when running - Display daemon status after active repo in human format 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * feat(cli): add ckb ps command to list CKB processes New command to show all running CKB processes in one place: - Shows daemon status with PID, port, and uptime - Supports --json output for scripting - Extensible for future MCP session and watcher tracking 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * feat(cli): add ckb tools command for MCP tool discovery New command to explore available MCP tools: - Shows preset summary with tool counts and token estimates - Drills down into presets with categorized tool lists - Shows detailed tool info with parameters and descriptions Also adds NewMCPServerForCLI() for lightweight tool introspection. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * docs: update v8 UX improvements tracking doc Mark Phase 2 items as complete: - ckb ps command - ckb tools command 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * refactor: complete stdlib slog migration across codebase - Remove all nil args from slog method calls (Debug, Info, Warn, Error) - Convert map[string]interface{} args to variadic key-value pairs - Fix malformed imports in test files (t"io", t"log/slog" -> proper imports) - Replace logging.NewLogger with slog.New in test helpers - Apply goimports formatting to fixed files This completes the migration from internal/logging to log/slog that was started in commit 8dccf0b but left behind broken patterns. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(lint): add type assertion check in tools.go Fixes unchecked type assertion flagged by errcheck linter. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Lisa <lisa.welsch1985@gmail.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Work packages for remaining logging improvements: - WP1: Log directory infrastructure (per-repo + global) - WP2: Log level configuration (minimal/standard/verbose/debug) - WP3: Subsystem logger factory - WP4-5: MCP and API logging integration - WP6: Enhanced `ckb log` command - WP7: Log rotation - WP8: Grafana Loki integration for remote aggregation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Key changes to avoid duplication: - WP1: Extend paths.go instead of new logs.go file - WP2: Extend existing LoggingConfig, add env var mappings - WP3: Factory composes NewFileLogger/TeeHandler/LevelFromString - WP6: Extend existing ckb log command (reuse showLogLines/followLogFile) - Keep daemon.log at ~/.ckb/daemon/ (no breaking change) Added: - "Existing Infrastructure" table showing what to reuse - "Code Reuse Summary" table at end - Detailed acceptance criteria per work package Files modified: 4 existing, 3 new 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add LoggerFactory for centralized logger creation with config precedence (CLI flags > subsystem config > global config > defaults) - Add per-repo logs: mcp.log, api.log, index.log in .ckb/logs/ - Add global logs: system.log in ~/.ckb/logs/ - Add log rotation with configurable maxSize (e.g., "10MB") and maxBackups - Extend config.LoggingConfig with subsystem levels and rotation settings - Enhance `ckb log` command with -t/--type flag for viewing different logs - Add --path and --clear flags for log management - Integrate tee logging in MCP and API servers (file + stderr) Work packages: WP1-WP7 from docs/plan-logging.md 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add LokiHandler implementing slog.Handler for pushing logs to Loki
- Support batched log shipping with configurable batch size and flush interval
- Include dynamic labels (level, subsystem, repo) and static labels (app, env, host)
- Integrate with LoggerFactory - automatically enabled when remote.type="loki"
- Use TeeHandler to send logs to both file and Loki simultaneously
- Add comprehensive tests for handler creation, batching, and label handling
Config example:
```json
{
"logging": {
"remote": {
"type": "loki",
"endpoint": "http://localhost:3100",
"labels": { "env": "dev" },
"batchSize": 100,
"flushInterval": "5s"
}
}
}
```
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add internal/secrets package with 26 builtin patterns for detecting exposed credentials (AWS, GitHub, Stripe, Slack, private keys, JWT, etc.) - Implement Shannon entropy analysis to reduce false positives on generic patterns - Support three scan scopes: workdir, staged files, git history - Add allowlist support via .ckb/secrets-allowlist.json for suppressing known false positives - Optional integration with external tools (gitleaks, trufflehog) - New scanSecrets MCP tool added to review and refactor presets - Update README with security features documentation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add GitHub Actions workflow for automated security scanning - Workflow runs on push, PR, weekly schedule, and manual trigger - Uses CKB's scanSecrets for builtin pattern detection - Integrates with gitleaks and trufflehog for comprehensive coverage - Adds govulncheck for dependency vulnerability scanning - Creates PR comments with findings summary - Add scan-secrets CLI command for local and CI usage - Supports workdir, staged, and history scan scopes - JSON and human-readable output formats Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move PR commenting from secret-scan to security-gate job - Single consolidated comment with all results (secrets + vulns) - Updates existing comment instead of creating new ones - Add SARIF upload to GitHub Security tab - Keep gitleaks inline comments for line-specific feedback Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Install gitleaks/trufflehog CLIs directly to capture JSON output - Download external-scan-results artifact in security-gate - Include gitleaks findings in consolidated comment with file grouping - Include trufflehog verified secrets in consolidated comment - Add tests for SARIF formatter and setup hooks command - Fix MCP presets test tool count (86 -> 87) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Security scanners (all opt-out via env vars): - Secret Detection: CKB, Gitleaks, TruffleHog - SAST: Gosec (Go security), Semgrep (multi-lang) - Dependencies: govulncheck, Trivy (vuln+license+SBOM), OSV-Scanner Features: - All scanners upload SARIF to GitHub Security tab - Single consolidated PR comment with all findings - License compliance checking via Trivy - SBOM generation (CycloneDX format) - Configurable minimum severity Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix gofmt formatting in secrets and slogutil packages - Fix copylocks in LokiHandler by using wrapper type for WithAttrs/WithGroup - Fix nilerr issues in factory.go with nolint comments for graceful degradation - Fix shadow declarations in external.go, factory.go, rotation.go - Fix staticcheck issues in scanner.go and rotation.go - Fix data race in TestLokiHandler_Labels with mutex synchronization - Remove GitHub PAT example from patterns.go to avoid Trivy false positive - Restore inline comments in security-audit.yml workflow Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CLAUDE.md recommendation to README for better tool adoption - Make tool descriptions more directive with clear "USE THIS" guidance: - searchSymbols: emphasize it's better than grep - explore: "START HERE" for file/directory questions - understand: "USE THIS" for "how does X work" questions - prepareChange: "CALL THIS BEFORE" modifying code - analyzeImpact: "USE THIS" for blast radius questions - Add hints to getStatus response with tool usage guidance - Update getStatus description to mention hints This helps AI assistants choose CKB tools over basic text search. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
feat(ux): improve tool discoverability for AI assistants
Replace imperative phrases (USE THIS, START HERE, CALL THIS BEFORE) with declarative descriptions that lead with what the tool returns. More professional tone while preserving discoverability. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove per-job permissions blocks (not allowed with reusable workflows) - Add top-level permissions for inheritance by called workflows - Simplify scanner config to use literal booleans Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
GitHub Actions job outputs are always strings. The gate workflow was defining inputs with type: number, causing type mismatch errors when passing job outputs to the reusable workflow. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
GitHub Actions requires reusable workflows to be at the top level of .github/workflows/, not in subdirectories. Renamed files with 'security-' prefix and updated references in security-audit.yml. Also adds web/ directory. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
GitHub Actions GITHUB_OUTPUT requires single-line values. The jq command was outputting multi-line JSON which broke the output format. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove -track-suppressions flag from gosec SARIF generation. This prevents #nosec-annotated findings from appearing in GitHub Code Scanning alerts, as the quality gate was incorrectly flagging them as new issues. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The PR comment now shows: - Per-scanner breakdown (Gosec, Bandit, Semgrep, Trivy, etc.) - Severity counts (high, critical) - Status icons (✅⚠️ ❌) based on severity - Helpful context for each category Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Each category now has relevant links: - Secrets: Link to secret scanning alerts - SAST: Links to Code Scanning filtered by tool (Gosec, Bandit, Semgrep) - Dependencies: Link to Dependabot alerts - Licenses: Link to workflow artifacts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
PR comment now shows: - Quick summary line with icons at top - Collapsible <details> section with full breakdown table - Footer links to workflow run and security overview Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update github/codeql-action/upload-sarif from v3 to v4 (deprecation) - Add SARIF validation before upload to prevent 'missing results array' error - CKB secrets scanner may generate invalid SARIF when no findings Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Track errors from scanner workflows (e.g., invalid SARIF) - Pass errors to gate workflow - Display errors prominently in PR comment - Validates CKB SARIF before upload to prevent silent failures Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Revert the PR comment to the original clean format per user request. The simple table layout is more readable than the complex version with icons and collapsible sections. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Restore the emoji styling from the original security-audit.yml: - 🔐 in title - ✅/⚠️ /❌ status indicators - Category emojis (🔑, 🛡️, 📦, 📜) - Per-category pass/warn indicators Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add detailed collapsible sections matching feature/8.0 style: - Secret detection details (CKB, Gitleaks, TruffleHog) - SAST analysis details (Gosec, Semgrep) - Dependency vulnerabilities (govulncheck, Trivy, OSV) - License issues (non-permissive licenses) Each section shows top 5 findings with file:line locations. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add feature/** to the pull_request branches trigger so CKB code intelligence analysis runs alongside security audit on feature branches. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The CKB marketing website is now in its own repository. This removes accidentally committed build artifacts. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
fix(security): add #nosec annotations and exclude false positive dirs
Document all features completed for the 8.0 release: - Compound operations (explore, understand, prepareChange, batchGet, batchSearch) - SSE streaming for findReferences and searchSymbols - Enhanced getStatus with health tiers and remediation - reindex MCP tool - Structured error codes with remediation guidance - Response metadata (ConfidenceFactor, CacheInfo) - Code analysis tools (findDeadCode, getAffectedTests, compareAPI) - Golden test suite for multi-language regression testing Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
NFR Tests ⬆️ 11 improved · ✅ 17 passedRegressions: 0 ✅ Thresholds: WARN ≥ +5% • FAIL ≥ +10% • Hotspot ≥ 90% budget ! HOT listEntrypoints/small -0.1% 4,795B budget 91% 1.48927ms
! HOT analyzeImpact/large -0.2% 17,966B budget 91% 99µs
! HOT summarizeDiff/large -0.3% 19,939B budget 91% 149µs
+ SAVE getAffectedTests/xlarge -50.4% 14,870B budget 45% 157µs
+ SAVE getAffectedTests/large -49.9% 7,521B budget 46% 84µs
+ SAVE getAffectedTests/medium -48.2% 3,110B budget 47% 38µsHotspots (closest to limit)
All scenarios
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
gosec found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
🔐 Security Audit Results
📦 Dependency VulnerabilitiesFound 7 vulnerability(ies) across 2 scanner(s) DetailsTrivy (4 findings)
OSV-Scanner (3 findings)
📜 License IssuesFound 119 non-permissive license(s) Details
Generated by CKB Security Audit | View Details | Security Tab |
Codecov Report❌ Patch coverage is ❌ Your patch status has failed because the patch coverage (29.1%) is below the target coverage (90.0%). You can increase the patch coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## develop #100 +/- ##
=========================================
+ Coverage 44.8% 45.0% +0.1%
=========================================
Files 318 350 +32
Lines 53634 59428 +5794
=========================================
+ Hits 24075 26764 +2689
- Misses 27939 30839 +2900
- Partials 1620 1825 +205
Flags with carried forward coverage won't be shown. Click here to find out more. 📢 Thoughts on this report? Let us know! 🚀 New features to boost your workflow:
|
- Add Compound Operations to feature highlights - Add new tools to Features table (explore, understand, prepareChange, etc.) - Add Streaming to Features table - Add v8.0 compound operations section to CLI docs - Fix inconsistent tool counts (now 80+) - Mention compareAPI and findDeadCode tools explicitly Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CKB Analysis
Risk factors: Large PR with 297 files • High churn: 30075 lines changed • Touches 38 hotspot(s)
🎯 Change Impact Analysis · 🟡 MEDIUM · 2871 changed → 20 affected
Symbols changed in this PR:
Downstream symbols affected:
Recommendations:
💣 Blast radius · 0 symbols · 64 tests · 0 consumersTests that may break:
🔥 Hotspots · 38 volatile files
📦 Modules · 14 at risk
📊 Complexity · 7 violations
💡 Quick wins · 10 suggestions
📚 Stale docs · 130 broken references
Generated by CKB · Run details |
CLAUDE.md: - Update tool count from 58 to 80+ - Add v8.0 tools: compound operations, streaming, reindex - Add new packages: internal/streaming/, internal/envelope/ streaming-design.md: - Fix title from "8.2" to "v8.0" (streaming shipped in 8.0) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
🟡 Change Impact Analysis
Blast Radius: 0 modules, 1 files, 1314 unique callers 📝 Changed Symbols (2871)
🎯 Affected Downstream (20)
Recommendations
Generated by CKB |
- Exclude G104,G301,G302,G304,G306 from Go SAST workflow - Add #nosec G201 directives alongside existing //nolint:gosec comments - Gosec uses #nosec format, golangci-lint uses //nolint:gosec Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add 22 tests covering parameter validation and basic functionality for the 5 compound MCP tools: - explore: 5 tests (target validation, depth/focus options) - understand: 4 tests (query validation, options handling) - prepareChange: 4 tests (target validation, change types) - batchGet: 4 tests (symbolIds validation) - batchSearch: 5 tests (queries validation, options) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
CKB v8.0 delivers on the theme of reliability, clarity, and compound operations for AI workflows.
Highlights
explore,understand,prepareChange,batchGet,batchSearchreduce AI tool calls by 60-70%findReferencesandsearchSymbolsgetStatus— Health tiers (available/degraded/unavailable) with actionable remediationfindDeadCode,getAffectedTests,compareAPINew MCP Tools
exploreunderstandprepareChangebatchGetbatchSearchreindexfindDeadCodegetAffectedTestscompareAPIInfrastructure
Test plan
explore,understand,prepareChange)findReferencesandsearchSymbolsgetStatusshows correct health tiersgo test ./...golangci-lint run🤖 Generated with Claude Code