docs: add supply-chain security and CI test quality roadmap items

[carlos-alm]

Summary

• Add 4.7 -- Supply-Chain Security & Audit: npm audit in CI, SBOM generation (CycloneDX/SPDX), SLSA provenance attestation, security audit log
• Add 4.8 -- CI Test Quality & Coverage Gates: coverage thresholds enforced in CI, unified embedding test workflow, setTimeout/sleep cleanup (312 instances), dependency audit step
• Both placed after Phase 4 (TypeScript Migration) as foundational CI hygiene — no dependency on Phase 9 GitHub Action infrastructure

Test plan

• Verify ROADMAP.md renders correctly on GitHub
• Confirm section numbering and cross-references are consistent

[claude]

Claude finished @carlos-alm's task —— View job

---

PR Review: Supply-Chain Security & CI Test Quality Roadmap Items

Reviewing PR #464 that adds roadmap items 4.7 and 4.8 for supply-chain security and CI test quality.

Todo List

• Read and analyze the modified ROADMAP.md file
• Apply 5-phase review process (root cause, config changes, test integrity, code quality, backlog compliance)
• Provide structured final assessment with rating and recommendation

Analysis Summary

The PR adds two new roadmap items (4.7 and 4.8) to Phase 4, along with minor corrections:

• 4.7 -- Supply-Chain Security & Audit: npm audit in CI, SBOM generation, SLSA provenance, security audit log
• 4.8 -- CI Test Quality & Coverage Gates: coverage thresholds, unified embedding tests, setTimeout cleanup, dependency auditing
• Fixed section numbering (9.6 → 9.5) and marked 3.13 as completed
• Updated Phase 4 summary to include the new items

---

Root Cause Analysis

Problem Being Solved: Addressing missing CI hygiene and security practices that should be foundational before advanced features. The current CI lacks coverage enforcement, security auditing, and has test quality issues (312 setTimeout instances creating potential flakiness).

Why This Approach: Logical placement in Phase 4 after TypeScript migration but before runtime extensibility. These are foundational CI practices that don't depend on later infrastructure work but benefit from the clean architecture established in Phase 3.

Risk Assessment: Very low risk. This is documentation-only planning that adds no immediate dependencies or breaking changes. The proposed items follow industry best practices for supply-chain security and test quality.

Backlog Compliance

• Zero-dep: ✓ — No new runtime dependencies. Proposed tooling (@cyclonedx/cyclonedx-npm, GitHub Actions) are dev/CI dependencies only
• Foundation-aligned: ✓ — Fully compliant with all principles. Enhances P4 (zero-cost core) by improving CI efficiency, supports P1 (always-current) by catching issues earlier
• Problem-fit: 3 — Useful CI hygiene but doesn't directly address core problem of AI agents getting lost in codebases. However, better test reliability indirectly helps AI tools by ensuring consistent behavior
• Breaking: No — Pure documentation additions with no changes to existing APIs, CLI outputs, or contracts
• Tier: 1 (zero-dep ✓ + foundation-aligned ✓)

Critical Concerns

None identified. This is well-structured documentation that:

1. Proper cross-references: Item 4.8 correctly links to 4.7 with [4.7](#47----supply-chain-security--audit)
2. Consistent formatting: Follows established roadmap patterns with Gap/Deliverables structure
3. Realistic scope: Items are appropriately sized for Phase 4 and don't overpromise
4. Good hygiene fixes: Corrects section numbering (9.6 → 9.5) and marks completed items

Minor Observations

• Cross-reference to 4.7 in 4.8 is correctly formatted
• The 312 setTimeout count is specific and actionable
• SLSA Level 2+ specification shows appropriate security knowledge
• Phase 4 summary update maintains consistency with other phase descriptions

Final Recommendation

• Rating: ⭐⭐⭐⭐☆ (4/5)
• Action: APPROVE
• Reasoning: This is high-quality documentation that adds important CI hygiene items to the roadmap. Well-researched content (specific setTimeout count, appropriate security standards), proper cross-references, and logical placement in the development sequence. The minor formatting fixes and completion marking demonstrate attention to detail.

Approved — This enhances the roadmap with essential CI practices that should indeed be foundational work.

---

[greptile-apps]

Greptile Summary

This PR adds two new Phase 4 sub-sections (4.7 -- Supply-Chain Security & Audit and 4.8 -- CI Test Quality & Coverage Gates) and one new Phase 5 sub-section (5.9 -- Developer Experience & Onboarding) to the roadmap, and resolves a prior review finding by relocating the "Auto-generated Docstrings" section from after Phase 10 into its correct position as 9.5 within Phase 9.

Key changes:

• 4.7 covers npm audit in CI, SBOM generation (CycloneDX/SPDX), SLSA Level 2+ provenance attestation, and a security audit log
• 4.8 covers vitest coverage gates, unified embedding test workflow, and setTimeout/sleep cleanup; the previously duplicate npm audit deliverable has been replaced with a cross-reference to 4.7
• 5.9 adds a DX & onboarding section with codegraph init, npx support, pre-built editor configs, and guided CLI output
• 9.5 -- Auto-generated Docstrings is now correctly placed after 9.4 (SARIF Output) and before the Phase 10 header — however, the old 10.6 copy was not removed, leaving an identical duplicate section still present in Phase 10
• The Phase 9 overview table row was not updated to reflect the newly added 9.5 deliverable

Confidence Score: 3/5

• Documentation-only PR but contains a concrete correctness issue (duplicate section) that should be resolved before merge.
• The new 4.7, 4.8, and 5.9 sections are well-written, internally consistent, and the duplicate npm audit issue from the prior review was properly addressed. However, the relocation of 9.5 was done by copy-not-move: the original 10.6 -- Auto-generated Docstrings block remains intact after Phase 10, so the section now appears twice in the document. This is a clear documentation defect introduced in this PR that needs to be corrected before merging.
• docs/roadmap/ROADMAP.md — specifically the 10.6 -- Auto-generated Docstrings block (lines 1649–1658) which should be deleted, and the Phase 9 overview table row which should be updated.

Important Files Changed

Filename	Overview
docs/roadmap/ROADMAP.md	Adds sections 4.7 (Supply-Chain Security), 4.8 (CI Coverage Gates), 5.9 (DX & Onboarding), and moves 9.5 (Auto-generated Docstrings) to the correct Phase 9 position — but the old 10.6 duplicate was not deleted, leaving the same content in two places.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["Phase 4 — TypeScript Migration"]
    A --> A1["4.1–4.6 (existing)"]
    A --> A2["4.7 — Supply-Chain Security & Audit\n(npm audit, SBOM, SLSA, audit log)"]
    A --> A3["4.8 — CI Test Quality & Coverage Gates\n(coverage thresholds, unified test workflow, timer cleanup)"]
    A2 -->|"deliverable 1 cross-referenced"| A3

    B["Phase 5 — Runtime & Extensibility"]
    B --> B1["5.1–5.8 (existing)"]
    B --> B2["5.9 — Developer Experience & Onboarding\n(codegraph init, npx, editor configs, guided CLI)"]

    C["Phase 9 — GitHub Integration & CI"]
    C --> C1["9.1–9.4 (existing)"]
    C --> C2["9.5 — Auto-generated Docstrings\n(added in correct position ✅)"]
    C --> C3["⚠️ 10.6 — Auto-generated Docstrings\nDUPLICATE — not removed from Phase 10"]

    style C3 fill:#ffcccc,stroke:#cc0000

Loading

Comments Outside Diff (2)

1. docs/roadmap/ROADMAP.md, line 1649-1658 (link)

   Duplicate section not removed after move

   The previous review thread noted that "Auto-generated Docstrings" was misplaced after Phase 10, and the author's reply confirmed it was "moved" to 9.5. However, the section was only copied — the original 10.6 -- Auto-generated Docstrings block (lines 1649–1658) was never removed. The document now contains two identical sections:

   • 9.5 -- Auto-generated Docstrings (newly added, correct position, after 9.4 SARIF Output)
   • 10.6 -- Auto-generated Docstrings (this block, old position, still present)

   The entire 10.6 section and its surrounding --- separator should be removed to complete the move.

2. docs/roadmap/ROADMAP.md, line 25 (link)

   Phase 9 overview row missing new 9.5 deliverable

   The Phase 9 row in the overview table still lists only four deliverables — "Reusable GitHub Action, LLM-enhanced PR review, visual impact graphs, SARIF output" — corresponding to sections 9.1–9.4. Since this PR adds 9.5 -- Auto-generated Docstrings to Phase 9, the key deliverables column should be updated to include it for consistency with how other phases surface their subsection content.

_{Last reviewed commit: 4482224}

[greptile-apps]

Section 9.5 misplaced after Phase 10

This section (renumbered from 9.6 → 9.5) still sits after all Phase 10 sections (10.1–10.5), making it appear to belong to Phase 10 rather than Phase 9. Since this PR already touches the section number, it would be a good opportunity to move it to its correct position — after section 9.4 (SARIF Output, line 1537) and before the Phase 10 header.

[carlos-alm]

Fixed — moved section 9.5 (Auto-generated Docstrings) to its correct position after section 9.4 (SARIF Output) and before the Phase 10 header.

[carlos-alm]

@greptileai

[greptile-apps]

Duplicate npm audit deliverable creates ownership ambiguity

Section 4.7 deliverable 1 and section 4.8 deliverable 4 both describe the same npm audit --omit=dev CI step. While 4.8 acknowledges the overlap with "(shared with 4.7)", having the same deliverable tracked in two independent sections risks:

• It being implemented twice (wasted effort) or
• Neither team/PR treating it as their primary responsibility ("the other section will handle it")

Consider removing deliverable 4 from 4.8 entirely and replacing it with a plain cross-reference note, e.g.:

Dependency audit step is covered by 4.7 deliverable 1.

This makes 4.7 the clear owner and 4.8 a consumer of that work.

[carlos-alm]

Fixed — removed the duplicate npm audit deliverable from 4.8 and replaced it with a cross-reference to 4.7, making ownership unambiguous.

[carlos-alm]

@greptileai