chore(security-check): backport pr-quality-gate fixes + add ci.yml permissions (v2)#32
Merged
Merged
Conversation
…rmissions
Three findings from the retrospective audit of Phase 0 → 3d:
A. security-check helper had 2 self-referential false positives that
pr-quality-gate already fixed but weren't backported:
- Section F: pr-quality-gate skill missing from _QUANTRANK_SKILLS
allowlist → flagged as a vendored skill missing LICENSE. Add it.
- Section G: naive `"--no-verify" in body` matched the prose mention
in the pr-quality-gate commit body (which describes the rule).
Tighten to a `git ... --no-verify` command-context regex,
mirroring the pr-quality-gate Section F fix.
B. .github/workflows/ci.yml had no explicit permissions: block, falling
back to GitHub's implicit defaults. Add `permissions: contents: read`
at the workflow level — CI doesn't push anything, so read-only is
safe + matches the security-check Section E least-privilege contract.
After these changes, security-check Section E reports all 4 workflows
follow least-privilege, and Sections F/G are clean. The only remaining
hard failure is the pre-existing Next.js critical CVE (Section B) —
filed separately as a Phase 4 issue.
https://claude.ai/code/session_015649aRyi2bvciQYZVNACd2
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This was referenced May 13, 2026
dackclup
added a commit
that referenced
this pull request
May 14, 2026
Lockstep update of the three tracking docs after PR 3e.4 (v1.0 tag) landed via the phase-status-bump skill flow. PHASE_STATUS.md: - Phase 3 row → ✅ DONE 2026-05-14 - "Current focus" → v1.0.0 SHIPPED, Phase 4a (workflow cache improvements) next per v1-to-v1-1-migration/PLAN.md - Phase 3e placeholder (lines 122-128) replaced with completion block covering 9 PRs: #43 Beneish, #45 Dechow, #46 Honest Limitations, #47-49+51+56 audit-#6 deep-clean (cache key v2 bump), #50 SEC Filing Roadmap, #52/#54 UX trio planning, #55 workflow rebase-then-push, #56 P1 audit backfill (migration + schema-versioning + backtest-infra) - Defense scorecard updated to v1.0.0 final: 4 active vetoes (1 deferred behind feature flag) + 5 guards + Tier-2 going_concern + Tier-3 Beneish/Dechow + 8 valuation warnings - Phase 3d production stats: filled in DRAFT placeholders with final numbers (498/502 fair-price, 100% Tier-2 coverage, 646 tests) - Phase 3e production stats: new section with v1.0 verification (commit b5bc65f, run #32, median PE 23.2, 3 data-quality edge cases, 31.9%/31.3% Beneish/Dechow coverage) - Phase 3d + 3e acceptance checklists: all items [x] SKILL.md Table 2 (schema version history): - Stub row for `1.0.0` (forward-looking) replaced with actual v1.0 ship row: `0.6.0-phase3d @ tag v1.0.0` (data version stays at 0.6.0-phase3d since PR 3e added only additive optional fields — beneish_m_score, dechow_f_score) - Row captures: 3 Tier-3 layer additions + Honest Limitations + audit #6 deep clean + workflow CI hardening + Phase 4 planning + production verification snapshot - The 4th veto `non_reliance_filing` note clarified: implemented but deferred behind `_EIGHT_K_DEFENSES_ENABLED = False` per PR 3e shipping state; re-enable in Phase 4 WORKFLOW.md "Phase 3 / v1.0 Acceptance Criteria": - All 19 items flipped from [ ] to [x] - New "Audit-#6 deep-clean" subsection (added mid-3e) tracks the 8 secondary-layer items completed during the audit cycle - "Ship" subsection records v1.0.0 tag + GitHub Release published + commit b5bc65f / run #32 production verification Invariants verified before commit: - Phase number matches across all three files - Schema version `0.6.0-phase3d` consistent with frontend/public/data/metadata.json::version - Production-verified commit SHA `b5bc65f3` referenced consistently - Active veto count: 4 (with 1 deferred behind feature flag) — matches defense-scorecard against latest production output - No deferred item without a matching PLAN.md in .claude/skills/phase-4/<name>/ or filed issue Per the phase-status-bump skill anti-patterns: no schema version bump in code (compute/output/schemas.py or pyproject.toml) — those happen with the next scoring/shape change PR. This commit only touches the docs that reference the version. Next deliverable: Phase 4a — workflow cache improvements (10-K text + fundamentals_history + prices + universe). Pre-planned in .claude/skills/phase-4/v1-to-v1-1-migration/PLAN.md §"Sequencing". https://claude.ai/code/session_015649aRyi2bvciQYZVNACd2 Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Note: this PR replaces #30 (closed). The proxy in this dev environment blocks force-pushes after a rebase, so re-opened on a
-v2branch with the same commit rebased cleanly onto the new main (821856d, post-PR-#27).Three small follow-ups surfaced by the Phase 0 → 3d retrospective audit:
A. Backport pr-quality-gate fixes to
security-checkhelperpr-quality-gateto_QUANTRANK_SKILLSallowlist — was being flagged as a vendored skill missingLICENSE--no-verify/--no-gpg-signregex to agit ... --no-verifycommand-context match — the naivein bodysubstring matched prose mentions inside the pr-quality-gate commit body. Same fix shipped in PR feat(skills): add pr-quality-gate skill (Section A-G PR completeness audit) #29 for pr-quality-gate's Section F; now mirrored here.B. Add explicit
permissions:block to.github/workflows/ci.ymlcontents: readis the right least-privilege scope.compute-rankings.ymlpattern.C. (separate) Filed as issue #31 — Next.js 14.2 → 16.x upgrade (1 critical CVE).
Verification (after rebase onto main @ 821856d)
ruff check .— cleanpython .claude/skills/security-check/helper.py— Sections E, F (apart from upstreamdoc-coauthoring), G all clean. Only remaining hard fail is pre-existing Next.js CVE (issue Upgrade Next.js 14.2 → 16.x to resolve 24 accumulated advisories (1 critical) #31)python .claude/skills/pr-quality-gate/helper.py --skip-pytest --skip-next-build— all sections cleanTest plan
Why a -v2 branch
The original branch (
chore/security-check-backport-and-ci-perms→ PR #30) was opened against main @6529aba. PR #27 then merged (advancing main to821856dwith new compute output). The branch needed a rebase to clear GitHub's "branch out of date" warning. The proxy in this dev environment returns 403 on force-pushes, so the standing workaround is to push the rebased commit onto a fresh branch name and reopen the PR. Same workaround used in earlier PR cycles (#25 → #26).https://claude.ai/code/session_015649aRyi2bvciQYZVNACd2
Generated by Claude Code