fix(deps): resolve Dependabot alerts, add docs site improvements#1433
Open
jeremyeder wants to merge 1 commit intomainfrom
Open
fix(deps): resolve Dependabot alerts, add docs site improvements#1433jeremyeder wants to merge 1 commit intomainfrom
jeremyeder wants to merge 1 commit intomainfrom
Conversation
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (2)
📒 Files selected for processing (8)
💤 Files with no reviewable changes (1)
✅ Files skipped from review due to trivial changes (5)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughThis PR adds comprehensive documentation for Claude Code integrations (Gerrit, CodeRabbit) and development workflows (harness, review-gate), updates documentation dependencies and configuration to include the starlight-llms-txt plugin, upgrades Astro/Starlight versions, and refines dependency constraints in the ambient-runner package. Changes
Sequence Diagram(s)sequenceDiagram
participant Dev as Developer
participant CLI as Claude CLI / ACP
participant Harness as Harness (PreToolUse)
participant Review as CodeRabbit Review Agent
participant GitHub as GitHub (PR)
participant Mergify as Mergify
participant CI as CI
Dev->>CLI: run `gh pr create`
CLI->>Harness: PreToolUse interception
Harness->>Review: run `coderabbit review --agent --base main`
Review-->>Harness: findings (ok | errors)
alt findings contain severity=error
Harness->>CLI: block PR creation (exit 2)
CLI->>Dev: surface errors (stderr)
Dev->>CLI: iterate fixes & retry
CLI->>Harness: repeat review loop
else no blocking findings
Harness->>GitHub: allow PR creation (exit 0)
GitHub->>Mergify: apply `ambient-code:self-reviewed` label
Mergify->>CI: re-run CI / auto-rebase / squash-merge if green
CI-->>Mergify: pass | fail
alt CI pass
Mergify->>GitHub: merge PR
else CI fail
Mergify->>GitHub: eject PR
end
end
🚥 Pre-merge checks | ✅ 8✅ Passed checks (8 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
⚔️ Resolve merge conflicts
✨ Simplify code
Comment |
✅ Deploy Preview for cheerful-kitten-f556a0 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@components/runners/ambient-runner/pyproject.toml`:
- Line 18: The dependency constraint "pyjwt>=2.12.0" is too loose and can
resolve to pre-patch vulnerable releases; update the minimum patched versions in
pyproject.toml (and similarly tighten the "fastmcp" requirement if present) to
the remediation minima (e.g., "pyjwt>=2.12.1" and "fastmcp>=3.2.4") so fresh
dependency resolution cannot pick older patched-vulnerable patch releases;
modify the dependency lines where "pyjwt>=2.12.0" and "fastmcp>=3.2.0" appear to
use the tightened >= versions.
In `@docs/src/content/docs/development/harness.md`:
- Line 8: Update the sentence that currently states hooks live only in
"scripts/claude-hooks/" to reflect both configured hook locations by mentioning
"scripts/claude-hooks/" and "scripts/hooks/" (and that both are configurable via
.claude/settings.json); update the instances at Line 8 and Line 152 so the doc
consistently instructs users to place hooks in either directory (or configure an
alternate path in .claude/settings.json) to avoid misplaced hooks and
non-executed automation.
In `@docs/src/content/docs/development/review-gate.md`:
- Around line 49-56: The docs incorrectly claim that running `bash
scripts/hooks/pr-review-gate.sh` in CI/standalone will execute the review;
update the documentation to instruct CI/manual runs to invoke `bash
scripts/hooks/coderabbit-review-gate.sh` instead because `pr-review-gate.sh`
only acts as a hook wrapper (gates `gh pr create`) and exits early when not run
as a CLAUDE hook; replace the reference to `pr-review-gate.sh` with
`coderabbit-review-gate.sh` and add a short note explaining the difference in
behavior between the two scripts (`pr-review-gate.sh` = hook wrapper,
`coderabbit-review-gate.sh` = standalone CI/manual runner).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: a4c9dc1b-aa75-4845-8d6d-60ac250120cf
⛔ Files ignored due to path filters (2)
components/runners/ambient-runner/uv.lockis excluded by!**/*.lockdocs/package-lock.jsonis excluded by!**/package-lock.json,!**/package-lock.json
📒 Files selected for processing (8)
.claude/skills/scaffold/SKILL.mdcomponents/runners/ambient-runner/pyproject.tomldocs/astro.config.mjsdocs/package.jsondocs/src/content/docs/concepts/integrations.mddocs/src/content/docs/concepts/workspaces.mddocs/src/content/docs/development/harness.mddocs/src/content/docs/development/review-gate.md
💤 Files with no reviewable changes (1)
- docs/src/content/docs/concepts/workspaces.md
| "aiohttp>=3.13.4", | ||
| "requests>=2.33.0", | ||
| "pyjwt>=2.11.0", | ||
| "pyjwt>=2.12.0", |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Declared floors in components/runners/ambient-runner/pyproject.toml:"
rg -n 'pyjwt>=|fastmcp>=' components/runners/ambient-runner/pyproject.toml
echo
echo "Resolved versions in uv.lock (if present):"
LOCK_FILE="$(fd -HI '^uv\.lock$' | head -n1 || true)"
if [ -n "$LOCK_FILE" ]; then
rg -n -C2 'name = "(pyjwt|fastmcp|pygments)"|version = "' "$LOCK_FILE"
else
echo "uv.lock not found"
fiRepository: ambient-code/platform
Length of output: 50377
Specify patched minimum versions to prevent vulnerable patch regression.
pyjwt>=2.12.0 and fastmcp>=3.2.0 allow earlier patch releases than the target remediation versions (2.12.1 and 3.2.4). Fresh dependency resolution could select pre-patch versions. Tighten the constraints:
Proposed patch
dependencies = [
@@
- "pyjwt>=2.12.0",
+ "pyjwt>=2.12.1",
]
@@
override-dependencies = [
- "fastmcp>=3.2.0",
+ "fastmcp>=3.2.4",
]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@components/runners/ambient-runner/pyproject.toml` at line 18, The dependency
constraint "pyjwt>=2.12.0" is too loose and can resolve to pre-patch vulnerable
releases; update the minimum patched versions in pyproject.toml (and similarly
tighten the "fastmcp" requirement if present) to the remediation minima (e.g.,
"pyjwt>=2.12.1" and "fastmcp>=3.2.4") so fresh dependency resolution cannot pick
older patched-vulnerable patch releases; modify the dependency lines where
"pyjwt>=2.12.0" and "fastmcp>=3.2.0" appear to use the tightened >= versions.
|
|
||
| The harness is the set of agents, skills, hooks, and convention docs that shape how Claude Code behaves when working in this repository. It enforces project standards automatically — blocking bad patterns before they land, formatting code on save, and surfacing review checklists at the right moments. | ||
|
|
||
| Everything lives under `.claude/` and `scripts/claude-hooks/`, configured through `.claude/settings.json`. |
Contributor
There was a problem hiding this comment.
Hook location guidance is inconsistent with the actual configured paths.
Line 8 and Line 152 imply hooks live only in scripts/claude-hooks/, but current configuration uses both scripts/claude-hooks/ and scripts/hooks/. This can lead to misplaced hooks and non-executed automation.
Proposed doc fix
-Everything lives under `.claude/` and `scripts/claude-hooks/`, configured through `.claude/settings.json`.
+Everything lives under `.claude/`, `scripts/claude-hooks/`, and `scripts/hooks/`, configured through `.claude/settings.json`.
-**New hook**: Add a script to `scripts/claude-hooks/`, register it in `.claude/settings.json` under the appropriate lifecycle event and tool matcher.
+**New hook**: Add a script to `scripts/claude-hooks/` or `scripts/hooks/` (matching existing hook categories), then register it in `.claude/settings.json` under the appropriate lifecycle event and tool matcher.Also applies to: 152-152
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/src/content/docs/development/harness.md` at line 8, Update the sentence
that currently states hooks live only in "scripts/claude-hooks/" to reflect both
configured hook locations by mentioning "scripts/claude-hooks/" and
"scripts/hooks/" (and that both are configurable via .claude/settings.json);
update the instances at Line 8 and Line 152 so the doc consistently instructs
users to place hooks in either directory (or configure an alternate path in
.claude/settings.json) to avoid misplaced hooks and non-executed automation.
Comment on lines
+49
to
+56
| The same script (`scripts/hooks/pr-review-gate.sh`) works in three contexts: | ||
|
|
||
| | Runtime | Mechanism | | ||
| |---------|-----------| | ||
| | **Claude Code CLI** | `.claude/settings.json` hooks loaded directly | | ||
| | **ACP sessions** | Claude Agent SDK spawns CLI with `--setting-sources project` — same hooks apply | | ||
| | **CI / standalone** | Run `bash scripts/hooks/pr-review-gate.sh` directly (no `CLAUDE_TOOL_INPUT` — runs review immediately) | | ||
|
|
Contributor
There was a problem hiding this comment.
Fix CI/standalone script reference; current command won’t run the review.
Line 55 says pr-review-gate.sh runs review directly, but that script only gates gh pr create when invoked as a hook and otherwise exits early. CI/manual execution should reference coderabbit-review-gate.sh.
Proposed doc fix
-The same script (`scripts/hooks/pr-review-gate.sh`) works in three contexts:
+The review gate uses `scripts/hooks/pr-review-gate.sh` as the Claude hook wrapper, and `scripts/hooks/coderabbit-review-gate.sh` for direct review execution.
| Runtime | Mechanism |
|---------|-----------|
| **Claude Code CLI** | `.claude/settings.json` hooks loaded directly |
| **ACP sessions** | Claude Agent SDK spawns CLI with `--setting-sources project` — same hooks apply |
-| **CI / standalone** | Run `bash scripts/hooks/pr-review-gate.sh` directly (no `CLAUDE_TOOL_INPUT` — runs review immediately) |
+| **CI / standalone** | Run `bash scripts/hooks/coderabbit-review-gate.sh` directly (no `CLAUDE_TOOL_INPUT` — runs review immediately) |📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| The same script (`scripts/hooks/pr-review-gate.sh`) works in three contexts: | |
| | Runtime | Mechanism | | |
| |---------|-----------| | |
| | **Claude Code CLI** | `.claude/settings.json` hooks loaded directly | | |
| | **ACP sessions** | Claude Agent SDK spawns CLI with `--setting-sources project` — same hooks apply | | |
| | **CI / standalone** | Run `bash scripts/hooks/pr-review-gate.sh` directly (no `CLAUDE_TOOL_INPUT` — runs review immediately) | | |
| The review gate uses `scripts/hooks/pr-review-gate.sh` as the Claude hook wrapper, and `scripts/hooks/coderabbit-review-gate.sh` for direct review execution. | |
| | Runtime | Mechanism | | |
| |---------|-----------| | |
| | **Claude Code CLI** | `.claude/settings.json` hooks loaded directly | | |
| | **ACP sessions** | Claude Agent SDK spawns CLI with `--setting-sources project` — same hooks apply | | |
| | **CI / standalone** | Run `bash scripts/hooks/coderabbit-review-gate.sh` directly (no `CLAUDE_TOOL_INPUT` — runs review immediately) | |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/src/content/docs/development/review-gate.md` around lines 49 - 56, The
docs incorrectly claim that running `bash scripts/hooks/pr-review-gate.sh` in
CI/standalone will execute the review; update the documentation to instruct
CI/manual runs to invoke `bash scripts/hooks/coderabbit-review-gate.sh` instead
because `pr-review-gate.sh` only acts as a hook wrapper (gates `gh pr create`)
and exits early when not run as a CLAUDE hook; replace the reference to
`pr-review-gate.sh` with `coderabbit-review-gate.sh` and add a short note
explaining the difference in behavior between the two scripts
(`pr-review-gate.sh` = hook wrapper, `coderabbit-review-gate.sh` = standalone
CI/manual runner).
Dependency upgrades (8 of 10 Dependabot alerts): - astro 5.x → 6.1.8, starlight 0.34 → 0.38 (alerts #183, #184) - fastmcp 2.14.3 → 3.2.4 via uv override (alerts #144-146) - pyjwt >=2.11.0 → >=2.12.0 (alert #74) - pygments 2.19.2 → 2.20.0 (alert #143) - diskcache removed — fastmcp 3.x dropped the dep (alert #59) - Remaining: docker/docker #134, #135 — no upstream Go module fix Docs site: - Add starlight-llms-txt plugin — generates /llms.txt, /llms-full.txt, /llms-small.txt for LLM-friendly documentation access - Add Claude Code Harness page — documents agents, skills, hooks, convention guard, continuous learning loop, migration to other tools - Add PR Review Gate page — documents inner-loop review flow, circuit breakers, self-reviewed label, merge queues - Add Gerrit and CodeRabbit sections to integrations page - Remove stale token lifetime table from workspaces page - Remove stale zod and sitemap overrides from docs/package.json Scaffold skill: - Add Documentation section and checklist items for writing docs when scaffolding new integrations Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jeremyeder
force-pushed
the
fix/dependabot-astro-6-upgrade
branch
from
dbc9bd3 to
9cc0395
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/llms.txt,/llms-full.txt,/llms-small.txtfor LLM-friendly documentation accessDependabot alerts resolved
Remaining 2 alerts (docker/docker #134, #135) have no upstream Go module fix — v29.3.1 has not been published.
Test plan
npm run buildpasses (31 pages, 0 vulnerabilities)🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Documentation
Chores