fix(ci): point license gate at packages/cli and align plugin tool namespace to codehub#193
Merged
Merged
Conversation
…espace to codehub Two independent fixes for gates that were green but checking nothing. License gate (vacuous post package-collapse): After the 17->1 package collapse, the root package.json is private with no runtime dependencies, so license-checker-rseidelsohn --production --excludePrivatePackages run from the repo root traversed zero packages and passed vacuously. The real third-party runtime deps (including lru-cache, which is BlueOak-1.0.0) live in packages/cli. All four callers (scripts/acceptance.sh, mise.toml, .github/workflows/ci.yml, and .github/workflows/pre-release-gate.yml) now pass --start packages/cli so the checker traverses the cli production deps, and all four share one unified allowlist superset: Apache-2.0;MIT;BSD-2-Clause;BSD-3-Clause;ISC;CC0-1.0;BlueOak-1.0.0;0BSD (acceptance.sh previously omitted BlueOak-1.0.0 and 0BSD). Verified the corrected command now lists 25 cli production packages and exits 0, and a deliberately-narrow allowlist correctly fails on lru-cache, proving the scan is no longer vacuous. Plugin tool namespace (broken at runtime): The MCP server registers under the key codehub, so the live tools are mcp__codehub__*. The plugin's code-analyst agent tool grants and the skill files referenced tools as mcp__opencodehub__*, which matched zero real tools. Rewrote mcp__opencodehub__ -> mcp__codehub__ across the plugins/ runtime tree and the committed .claude/ install mirror (agent frontmatter grants + skill invocation/reference text). Server key, CLI bin name, and setup.ts are unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two independent fixes for CI/runtime gates that were green but checking nothing after the package collapse (#189).
Item A — License gates were vacuous post-#189
After the 17→1 package collapse, the root
package.jsonisprivate: truewithdependencies: {}. Solicense-checker-rseidelsohn --production --excludePrivatePackagesinvoked from the repo root traverses zero packages and passes vacuously, leaving the realpackages/cliruntime deps (includinglru-cache@11.5.0, which is BlueOak-1.0.0) unvalidated. The allowlist string also diverged between callers.Fix — all four callers now scan the cli production deps via
--start packages/cliand share one unified allowlist superset:scripts/acceptance.sh(gate 5)mise.toml([tasks.licenses]).github/workflows/ci.yml(licensesjob).github/workflows/pre-release-gate.yml(licenses-reassertjob)Unified allowlist:
Apache-2.0;MIT;BSD-2-Clause;BSD-3-Clause;ISC;CC0-1.0;BlueOak-1.0.0;0BSD(acceptance.sh previously omittedBlueOak-1.0.0and0BSD).Verified: the corrected command traverses 25 cli production packages and exits 0;
lru-cache(BlueOak-1.0.0) is present and permitted. A deliberately-narrow allowlist (no BlueOak) correctly fails onlru-cache— proving the scan is no longer vacuous. The cli license set is {MIT, Apache-2.0, ISC, BlueOak-1.0.0}, fully covered.Item B — Plugin tool namespace was broken at runtime
The MCP server registers under the key
codehub, so the live tools aremcp__codehub__*. The plugin'scode-analystagent tool grants and the skill files referencedmcp__opencodehub__*, which matched zero real tools.Fix — rewrote
mcp__opencodehub__→mcp__codehub__across theplugins/runtime tree (agent frontmatter grants + skill invocation/reference text) and the committed.claude/install mirror. Server key, CLI bin name, andsetup.tsare unchanged. Post-edit grep confirms zero residualmcp__opencodehub__in the runtime trees.Broad doc/ADR
mcp__opencodehub__prose references (docs/,packages/docs/,.erpaval/, rootCLAUDE.md) are intentionally left for a follow-up branding-consistency PR — they are non-runtime.🤖 Surfaced by an automated roadmap-survey workflow; implemented + verified in an isolated worktree (build/test/lint green).