chore: sync Development → main (v1.3.5)

[dbwg2009]

Summary

Syncs Development into main, bringing in all changes since the last Development → main merge.

Why

Routine sync to keep main up to date with infra/CI improvements that have been running on Development. No related feature issue — this is housekeeping.

Changes included in this diff

• Release Please + Codecov automation (.github/workflows/release-please.yml, release-please-config.json, release-please-manifest.json)
• pr-checks.yml updated to run Vitest and upload coverage to Codecov
• vitest.config.ts updated to emit lcov coverage report
• package.json bumped to v1.3.5 with PostCSS XSS override (postcss@^8.5.10)
• CHANGELOG.md updated
• .claude/memory/feedback_pr_workflow.md updated (docs only)

Note: Sentry, Docker healthcheck, Vitest scaffolding, and other infra changes from v1.3.3/v1.3.4 were already on Development before this sync — they are not new in this diff.

No release needed

Releases v1.3.3 → v1.3.5 have already been cut against the commits included here.

Test plan

• Verify npm ci succeeds after merge
• Confirm CI passes on main

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Walkthrough

PR introduces Release Please automation for Node releases, adds Codecov coverage tracking integration, updates package version to 1.3.5, enforces postcss ^8.5.10 via npm overrides to address Next.js nested vulnerability, and clarifies post-merge PR workflow handling for automated bot checks.

Changes

Release Automation Setup

Layer / File(s)	Summary
Release Please Configuration .github/release-please-config.json, .github/release-please-manifest.json	Release Please configured for Node releases with changelog sections (feat, fix, perf, refactor, chore, docs) and PR title template; manifest tracks root version at 1.3.5.
Version and Dependency Updates package.json	Package version bumped to 1.3.5; postcss dependency overridden to ^8.5.10 (both in overrides and devDependencies) to resolve Next.js nested vulnerability.
Release Workflow .github/workflows/release-please.yml	New workflow triggers on main branch pushes with write permissions, runs googleapis/release-please-action v4 configured for Node release automation.
Release Documentation .claude/memory/feedback_pr_workflow.md, CHANGELOG.md	PR workflow instructions expanded to describe bot-comment handling, issue addressing, and review gating; changelog entries document postcss override fix and vulnerability reduction.

Coverage Reporting Infrastructure

Layer / File(s)	Summary
Vitest Coverage Config vitest.config.ts	Coverage reporter array extended to emit both text and lcov formats.
Codecov Upload Step .github/workflows/pr-checks.yml	PR checks workflow adds codecov-action step that uploads ./coverage/lcov.info with repository token authentication; configured to not fail CI on upload errors.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

• #101 — postcss override and version bump directly address this vulnerability fix issue.

Possibly related PRs

• dbwg2009/Noted#102: Modifies same postcss override and package version updates to address PostCSS vulnerability.
• dbwg2009/Noted#103: Updates same release-related files (package.json version, CHANGELOG.md) for coordinated releases.

Suggested labels

chore, area: docs

Poem

🐰 A Release Please hops into the night,
Coverage reports glow lcov-bright,
PostCSS patched, vulnerabilities flight,
Version bumped to 1.3.5—all is right! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: syncing Development into main with version 1.3.5, which directly matches the raw summary and PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description covers the key required sections (What, Why, Changes) and provides clear context for the sync, though it deviates from the template structure by using a custom format.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch Development

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

While this PR successfully implements security overrides for PostCSS and integrates Codecov, it contains a critical error in package-lock.json that will cause npm ci to fail due to version/integrity mismatches. Additionally, there is a systemic conflict between the new release-please automation and the existing manual workflow instructions.

Note: The PR description references Sentry error tracking, Docker healthchecks, and Vitest unit tests, but these files are missing from the current diff. These must be included or the description corrected before merging.

About this PR

• The PR description mentions including 'Sentry error tracking', 'Docker healthcheck', and 'Vitest unit tests', but the corresponding implementation files (e.g., Sentry config, healthcheck routes, or actual test files) are not present in this diff. Please verify if these were intended for this release.

Test suggestions

• Verify that the npm override forces 'postcss' to version ^8.5.10 globally.
• Ensure Vitest is configured to generate lcov reports for Codecov consumption.
• Validate the Codecov GitHub Action is correctly triggered in the CI check pipeline.
• Confirm Release Please configuration is valid for a Node.js project.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}

[codacy-production]

_{🔴 HIGH RISK}

The version for error-ex was accidentally updated to 1.3.5, creating a mismatch with the resolved tarball version (1.3.4). This appears to be an accidental result of a global find-and-replace for the project version (1.3.4 -> 1.3.5). This mismatch will cause npm ci to fail with integrity errors.

Suggested change

	"version": "1.3.5",
	"version": "1.3.4",

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: Introducing release-please conflicts with the established manual CHANGELOG format and the versioning workflow defined in .claude/memory/feedback_pr_workflow.md. Once active, release-please will attempt to manage these files automatically using its own standard format, which will overwrite your custom 'By/What/Why' metadata entries. You should update the project instructions to reflect the new automated process or remove the action to maintain manual control.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!