chore: sync with rhiza template v0.9.5

[tschm]

Summary

• Added .rhiza/template.yml to configure rhiza sync from jebel-quant/rhiza@v0.9.5
• Updated rhiza tooling infrastructure (rhiza.mk, .rhiza-version → 0.12.1, bootstrap.mk) to use the current sync command (replacing deprecated materialize)
• Ran make sync — first-time full template sync applied 43 template files, removed 14 orphaned files

Changes

New files: GitHub templates (discussion, issue), actions, hooks, workflows (rhiza_weekly, copilot-setup-steps), dependabot, semgrep, docs/ structure, make.d/ modules (book.mk, marimo.mk, quality.mk, releasing.mk)

Removed: Deprecated workflows (rhiza_codeql, rhiza_deptry, rhiza_mypy, rhiza_pre-commit, rhiza_validate), renovate.json, CODE_OF_CONDUCT.md, CONTRIBUTING.md, book/ tree, old custom make.d files

Updated: .gitignore, .pre-commit-config.yaml, ruff.toml, workflow files, requirements

Test plan

• make sync ran cleanly with no merge conflicts
• Verify GitHub Actions workflows trigger correctly after merge

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features

  • Added GitHub Discussions Q&A template and issue templates for bug reports and feature requests
  • Introduced weekly automated compatibility testing and security scanning workflows
  • Implemented MkDocs-based documentation build system with improved navigation
  • Added Semgrep static analysis for code quality and security best practices

• Infrastructure

  • Updated CI/CD workflows with enhanced dependency management and private package authentication
  • Streamlined development environment setup with improved bootstrap and validation processes
  • Migrated documentation structure from legacy system to modern build pipeline

• Documentation

  • Removed outdated contribution guidelines and code of conduct

[coderabbitai]

Warning

Rate limit exceeded

@tschm has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 17 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 49 minutes and 17 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0cc89311-c134-4ced-8171-c3d71b8eaa51

📥 Commits

Reviewing files that changed from the base of the PR and between 2f7b640 and 0617001.

⛔ Files ignored due to path filters (2)

• docs/paper/1310.3396.pdf is excluded by !**/*.pdf
• docs/paper/SSRN-id2695101.pdf is excluded by !**/*.pdf

📒 Files selected for processing (6)

• .rhiza/make.d/README.md
• Makefile
• book/docs/index.md
• docs/talk/abstract.txt
• docs/talk/bio.txt
• docs/talk/title.txt

📝 Walkthrough

Walkthrough

Comprehensive infrastructure modernization refactoring the development toolchain from pdoc/marimo-based documentation to MkDocs, reorganizing the Make system into modular components, updating GitHub Actions workflows for agent support, introducing automated Git authentication, and adding code quality tooling (Semgrep, Dependabot, enhanced linting).

Changes

Cohort / File(s)	Summary
GitHub Discussion & Issue Templates .github/DISCUSSION_TEMPLATE/q-and-a.yml, .github/ISSUE_TEMPLATE/bug_report.yml, .github/ISSUE_TEMPLATE/feature_request.yml	Added three new GitHub Forms templates with structured fields, labels, and validation for questions, bug reports, and feature requests.
GitHub Actions Configuration .github/actions/configure-git-auth/action.yml, .github/actions/configure-git-auth/README.md	New composite GitHub Action for Git authentication that configures HTTPS URL rewrites to inject credentials from github.token or a custom PAT input, enabling private package access.
Removed Workflows .github/workflows/rhiza_codeql.yml, .github/workflows/rhiza_deptry.yml, .github/workflows/rhiza_mypy.yml, .github/workflows/rhiza_pre-commit.yml, .github/workflows/rhiza_validate.yml	Deleted five workflows (CodeQL analysis, deptry checks, mypy type checking, pre-commit formatting, Rhiza validation), moving these checks into other tooling/local development.
Updated Core Workflows .github/workflows/rhiza_book.yml, .github/workflows/rhiza_marimo.yml, .github/workflows/rhiza_release.yml, .github/workflows/rhiza_sync.yml	Updated dependencies (checkout/setup-uv/artifact actions), integrated git-auth configuration, refactored release pipeline with SBOM generation, split sync workflow into direct-commit and PR paths, adjusted build commands from .rhiza/rhiza.mk targets to consolidated make targets.
New Workflows .github/workflows/copilot-setup-steps.yml, .github/workflows/rhiza_weekly.yml	Added agent setup workflow for environment configuration and new weekly CI job for dependency compatibility testing, code quality checks (Semgrep, pip-audit), and link validation.
Configuration & Security .github/copilot-instructions.md, .github/dependabot.yml, .github/hooks/hooks.json, .github/secret_scanning.yml, .github/semgrep.yml	Added Copilot/agent operation guidelines, Dependabot version updates (Python/GitHub Actions with patch-minor-only policy), session hook configuration (start/end validation), secret scanning path exclusions, and Semgrep rules for unsafe NumPy/RNG/matrix operations.
Hook Scripts .github/hooks/session-start.sh, .github/hooks/session-end.sh	New Bash scripts for pre-session validation (uv/venv availability) and post-session quality gates (formatting and testing).
Bootstrap & Core Makefiles .rhiza/make.d/bootstrap.mk, .rhiza/make.d/book.mk, .rhiza/make.d/marimo.mk, .rhiza/make.d/quality.mk, .rhiza/make.d/releasing.mk	Added five new modular Makefiles implementing environment setup (uv/venv installation), MkDocs-based book building with report/notebook aggregation, Marimo notebook validation/server startup, quality checks (deptry/formatting/licenses), and release management (bump/publish/status).
Documentation Migration .rhiza/requirements/docs.txt, docs/mkdocs-base.yml, docs/development/MARIMO.md, docs/index.md	Migrated from pdoc to MkDocs: replaced pdoc dependency with mkdocs/material/mkdocstrings, added base MkDocs config with Material theme and Mermaid support, updated Marimo path references from book/marimo to docs/notebooks, and configured docs index.
Removed Legacy Documentation book/README.md, book/book.mk, book/marimo/marimo.mk, book/marimo/notebooks/rhiza.py, book/minibook-templates/custom.html.jinja2	Deleted old pdoc/marimo/minibook infrastructure including build logic, templates, showcase notebook, and documentation.
Environment & Version Configuration .python-version, .rhiza/.env, .rhiza/.rhiza-version, .rhiza/.cfg.toml, .rhiza/template.yml	Added Python 3.12 version pin, updated Rhiza version to 0.12.1, simplified environment variables (removed legacy settings, changed MARIMO_FOLDER path), enabled git tagging in bumpversion config, updated template branch to v0.9.5 with github/marimo template selection.
Removed Makefiles & Custom Targets .rhiza/make.d/01-custom-env.mk, .rhiza/make.d/10-custom-task.mk	Deleted custom environment and task Makefile fragments including PROJECT_NAME_EXTRA and hello-rhiza targets.
Main Makefile Updates Makefile	Added configuration variables (DOCFORMAT, DEFAULT_AI_MODEL, LOGO_FILE, GH_AW_ENGINE), post-validate hook for typecheck, and new adr target for interactive ADR creation via GitHub workflow.
Rhiza Core Makefile .rhiza/rhiza.mk	Significant restructuring: changed template sync from materialize to sync, added deprecated materialize alias, moved install/fmt/deptry/clean targets to modular includes, updated validation flow, changed build tools (uvx rhiza pinned versions), replaced version-matrix Python script with uvx tool invocation.
Removed Scripts .rhiza/scripts/check_workflow_names.py, .rhiza/scripts/release.sh, .rhiza/utils/version_matrix.py	Deleted workflow name validation script, release automation shell script, and version matrix Python utility (functionality migrated to external tools/hooks).
Requirements Updates .rhiza/requirements/tests.txt, .rhiza/requirements/tools.txt, .rhiza/requirements/README.md	Removed mypy dependency in favor of ty tool, emptied test requirements (likely moved to pyproject.toml), updated documentation with MkDocs/mkdocstrings additions.
Code Quality Configuration .pre-commit-config.yaml, ruff.toml, .gitignore	Bumped pre-commit hook versions, added rhiza-hooks with workflow/config/Makefile validators, enabled Bandit (S) and Simplify (SIM) rules in Ruff, updated test/notebook linting ignores, added gitignore entries for MkDocs/LaTeX/coverage artifacts.
Removed Configuration renovate.json, CODE_OF_CONDUCT.md, CONTRIBUTING.md	Deleted Renovate config (replaced by Dependabot) and community guidelines documents.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• chore: sync config files from .config-templates #292 — Modifies GitHub Actions checkout steps with Git LFS configuration alongside CI/pre-commit changes affecting the same workflow infrastructure.
• chore: sync template from tschm/.config-templates@main #304 — Restructures Marimo notebook processing from uvx-based marimo export to uv/uv run invocations, overlapping with documentation/CI tooling changes.
• chore: sync template from tschm/.config-templates@main #330 — Modifies Makefile book/marimo targets and GitHub Actions workflows for documentation building, directly overlapping with book system reorganization.

Poem

🐰 The rabbit hops through workflows new,
From pdoc's past to MkDocs true!
With agents, hooks, and Makefiles clean,
The toolbox glows with what it's been.
Semgrep keeps quality tight as thread,
While modular paths lie neat ahead! 🌿

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly summarizes the main change: syncing the repository with rhiza template v0.9.5. The title is concise, specific, and directly related to the primary purpose of this changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch rhiza

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Syncs this repository with the jebel-quant/rhiza template at v0.9.5, updating repo scaffolding, automation, and documentation tooling to the current Rhiza sync workflow.

Changes:

• Migrates Rhiza sync tooling to rhiza sync and updates template configuration/lockfiles.
• Introduces new GitHub automation (sync/release/book/weekly, Copilot setup hooks, Dependabot, Semgrep, secret scanning, templates).
• Switches documentation/book infrastructure toward MkDocs-based docs under docs/ (and removes older book/ minibook/pdoc tooling files).

Reviewed changes

Copilot reviewed 58 out of 62 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
ruff.toml	Enables additional Ruff rule sets and updates per-file ignore patterns.
renovate.json	Removes Renovate configuration (Dependabot added instead).
docs/mkdocs-base.yml	Adds base MkDocs config used by Rhiza book build.
docs/index.md	Adds MkDocs home page that includes README via snippets.
docs/development/MARIMO.md	Updates Marimo docs to new notebook path under docs/notebooks.
docs/assets/rhiza-logo.svg	Adds Rhiza logo asset for docs theme.
book/minibook-templates/custom.html.jinja2	Removes legacy minibook template.
book/marimo/notebooks/rhiza.py	Removes legacy Marimo showcase notebook under book/.
book/marimo/marimo.mk	Removes legacy Marimo Make targets under book/.
book/book.mk	Removes legacy book/pdoc/minibook build Make targets.
book/README.md	Removes legacy book documentation for old book system.
Makefile	Adds repo-owned custom vars and targets (post-validate/typecheck, ADR helper).
CONTRIBUTING.md	Removes contributing guidelines (template now manages GitHub templates instead).
CODE_OF_CONDUCT.md	Removes code of conduct file.
.rhiza/utils/version_matrix.py	Removes local version-matrix helper (now via rhiza-tools).
.rhiza/template.yml	Updates template source/ref and template bundle selection/exclusions.
.rhiza/template.lock	Adds lockfile capturing synced template ref/sha and file list.
.rhiza/scripts/release.sh	Removes legacy release shell script (release now via rhiza-tools).
.rhiza/scripts/check_workflow_names.py	Removes legacy workflow-name fixer script (moved to hooks).
.rhiza/rhiza.mk	Updates core Rhiza Make entrypoint and includes modular make.d files.
.rhiza/requirements/tools.txt	Updates tool requirements (drops mypy, adds ty, etc.).
.rhiza/requirements/tests.txt	Removes template-provided test requirements file.
.rhiza/requirements/docs.txt	Switches docs requirements to MkDocs stack (drops pdoc).
.rhiza/requirements/README.md	Updates requirements documentation to reflect new intent (needs alignment).
.rhiza/make.d/releasing.mk	Adds release/versioning targets via rhiza-tools.
.rhiza/make.d/quality.mk	Adds quality/format/license/todo targets.
.rhiza/make.d/marimo.mk	Adds Marimo targets aligned to docs/notebooks.
.rhiza/make.d/bootstrap.mk	Adds install/bootstrap/clean targets with uv lock checking.
.rhiza/make.d/book.mk	Adds MkDocs-based “book” build that exports reports/notebooks into docs.
.rhiza/make.d/10-custom-task.mk	Removes example custom task module.
.rhiza/make.d/01-custom-env.mk	Removes example custom env module.
.rhiza/.rhiza-version	Bumps Rhiza tool version pin to 0.12.1.
.rhiza/.env	Updates env vars (moves MARIMO_FOLDER to docs/notebooks).
.rhiza/.cfg.toml	Updates bumpversion configuration (tagging + PEP440 variants + hooks).
.python-version	Adds pinned Python version file (3.12).
.pre-commit-config.yaml	Updates pre-commit hooks and adds rhiza-hooks + uv-lock hook.
.gitignore	Updates ignores for MkDocs outputs, notebook exports, and tool caches.
.github/workflows/rhiza_weekly.yml	Adds weekly workflow (dep-compat test, Semgrep, pip-audit, link check).
.github/workflows/rhiza_validate.yml	Removes legacy validate workflow.
.github/workflows/rhiza_sync.yml	Updates sync workflow (direct commit on Renovate branches + PR on schedule).
.github/workflows/rhiza_release.yml	Updates release workflow (SBOM generation, newer actions, release notes).
.github/workflows/rhiza_pre-commit.yml	Removes legacy pre-commit workflow.
.github/workflows/rhiza_mypy.yml	Removes legacy mypy workflow.
.github/workflows/rhiza_marimo.yml	Updates Marimo workflow (uv version, auth action, artifact upload).
.github/workflows/rhiza_deptry.yml	Removes legacy deptry workflow.
.github/workflows/rhiza_codeql.yml	Removes legacy CodeQL workflow.
.github/workflows/rhiza_book.yml	Updates book workflow to run make book and upload/deploy artifacts.
.github/workflows/copilot-setup-steps.yml	Adds Copilot coding agent setup workflow.
.github/semgrep.yml	Adds Semgrep rules (NumPy-focused security/best-practice checks).
.github/secret_scanning.yml	Adds secret scanning configuration and path ignores.
.github/hooks/session-start.sh	Adds Copilot session start hook (environment validation).
.github/hooks/session-end.sh	Adds Copilot session end hook (fmt + test gates).
.github/hooks/hooks.json	Registers Copilot sessionStart/sessionEnd hooks.
.github/dependabot.yml	Adds Dependabot configuration (uv + actions).
.github/copilot-instructions.md	Adds repository Copilot guidance/instructions.
.github/actions/configure-git-auth/action.yml	Adds composite action to configure git auth for private dependencies.
.github/actions/configure-git-auth/README.md	Documents the composite action usage and token expectations.
.github/ISSUE_TEMPLATE/feature_request.yml	Adds issue template for feature requests.
.github/ISSUE_TEMPLATE/bug_report.yml	Adds issue template for bug reports.
.github/DISCUSSION_TEMPLATE/q-and-a.yml	Adds discussion template for Q&A.

Comments suppressed due to low confidence (1)

.rhiza/requirements/README.md:20

• This requirements README still documents tests.txt (and even shows installing it), but .rhiza/requirements/tests.txt was removed in this sync. Update the README to reflect the actual files present (or reintroduce tests.txt if it’s still intended).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The adr target depends on install-gh-aw, but no such target exists in the Makefiles currently included (and the gh-aw make modules are excluded in .rhiza/template.yml). This target will error immediately; either add/provide install-gh-aw (and the gh-aw tooling) or remove that dependency / guard it behind a check.

[Copilot]

This page includes README.md via pymdownx.snippets, but there is no docs/README.md in the repo. With docs_dir: . and base_path: ["."], MkDocs will not be able to resolve this include. Point the snippet to the root README (e.g. adjust the include path / base_path) or add a docs/README.md file.

[Copilot]

The nav references paper/rhiza.pdf, but there is no docs/paper/rhiza.pdf (or even docs/paper/) in the repo. MkDocs builds will fail with a missing file in nav. Either add the PDF (or a placeholder) or remove/guard this nav entry in the base config.

[Copilot]

This composite action configures git with https://${GH_TOKEN}@github.com/, which treats the token as the username with an empty password and typically won’t authenticate to private repos. Use the standard pattern that passes the token as the password (e.g., https://x-access-token:${GH_TOKEN}@github.com/) to ensure dependency installs from private GitHub repos work.

Suggested change

	git config --global url."https://${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
	git config --global url."https://x-access-token:${GH_TOKEN}@github.com/".insteadOf "https://github.com/"

[Copilot]

The workflow exports UV_EXTRA_INDEX_URL from secrets.uv_extra_index_url, but other workflows in this repo use secrets.UV_EXTRA_INDEX_URL. Unless both secrets exist, this will break dependency sync during finalise-release. Align the secret name casing consistently (prefer the existing UV_EXTRA_INDEX_URL).

Suggested change

	export UV_EXTRA_INDEX_URL="${{ secrets.uv_extra_index_url }}"
	export UV_EXTRA_INDEX_URL="${{ secrets.UV_EXTRA_INDEX_URL }}"

[Copilot]

make validate will fail because post-validate invokes make typecheck, but there is no typecheck target defined anywhere in the repo. Either add a typecheck target (e.g., in .rhiza/make.d/) or remove this hook wiring until type checking is implemented.

[Copilot]

all depends on docs-coverage, security, and typecheck, but none of these targets exist in the current repo (so make all will fail). Either define these targets (e.g., in additional .rhiza/make.d/*.mk modules) or remove them from the dependency list until they’re implemented.

[Copilot]

suppression-audit runs .rhiza/utils/suppression_audit.py, but .rhiza/utils/ (and that script) doesn’t exist in the repo after this sync. This target will fail when invoked; either add the script back (or update the path) or remove the target.

[Copilot]

This section documents gh-aw Make targets (make gh-aw-compile, make gh-aw-run, etc.), but no such targets exist in the current Makefiles (and the gh-aw make modules are excluded in .rhiza/template.yml). This is likely to confuse contributors/agents; either include the gh-aw tooling or remove/update this section to match what’s actually available.

Suggested change

	## GitHub Agentic Workflows (gh-aw)
	This repository uses GitHub Agentic Workflows for AI-driven automation.
	Agentic workflow files are Markdown files in `.github/workflows/` with
	`.lock.yml` compiled counterparts.
	**Key Commands:**
	- `make gh-aw-compile` or `gh aw compile` — Compile workflow `.md` files to `.lock.yml`
	- `make gh-aw-run WORKFLOW=<name>` or `gh aw run <name>` — Run a specific workflow locally
	- `make gh-aw-status` — Check status of all agentic workflows
	- `make gh-aw-setup` — Configure secrets and engine for first-time setup
	**Important Rules:**
	- **Never edit `.lock.yml` files directly** — Always edit the `.md` source and recompile
	- Workflows must be compiled before they can run in GitHub Actions
	- After editing any `.md` workflow, always run `make gh-aw-compile` and commit both files
	**Available Starter Workflows:**
	- `daily-repo-status.md` — Daily repository health reports
	- `ci-doctor.md` — Automatic CI failure diagnosis
	- `issue-triage.md` — Automatic issue classification and labeling

[Copilot]

adr triggers gh workflow run adr-create.md, but there is no workflow file named adr-create.md (or corresponding compiled workflow) under .github/workflows/ in this repo. As written, this will fail at runtime; either add the ADR workflow or update the target to call an existing workflow name/file.

[coderabbitai]

Actionable comments posted: 15

🧹 Nitpick comments (9)

ruff.toml (1)

104-116: Test ignore patterns are split inconsistently.

There are two separate test file patterns with different ignores:

• "**/tests/**/*.py" (line 105): Gets S101, S603, S607, PLW1510
• "tests/**/*.py" (line 111): Gets ERA001, PLR2004, RUF002, RUF012

This means tests in subdirectories (e.g., packages/foo/tests/) receive security-related ignores but not the ERA001/PLR2004/RUF002/RUF012 ignores. If this is intentional to apply stricter rules to nested test directories, the current setup is correct. Otherwise, consider consolidating to a single pattern.

🔧 Option: Consolidate test ignores

 # Test files - allow assert statements and subprocess calls for testing
 "**/tests/**/*.py" = [
     "S101",     # Allow assert statements in tests
     "S603",     # Allow subprocess calls without shell=False check
     "S607",     # Allow starting processes with partial paths in tests
     "PLW1510",  # Allow subprocess without explicit check parameter
+    "ERA001",   # Allow commented out code in tests
+    "PLR2004",  # Allow magic values in tests
+    "RUF002",   # Allow ambiguous unicode in tests
+    "RUF012",   # Allow mutable class attributes in tests
 ]
-"tests/**/*.py" = [
-    "ERA001",   # Allow commented out code in project tests
-    "PLR2004",  # Allow magic values in project tests
-    "RUF002",   # Allow ambiguous unicode in project tests
-    "RUF012",   # Allow mutable class attributes in project tests
-]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ruff.toml` around lines 104 - 116, The two test ignore patterns
("**/tests/**/*.py" and "tests/**/*.py") are inconsistent and cause different
ignore sets for nested vs root tests; consolidate them by merging the ignore
lists under a single pattern (either unify into "**/tests/**/*.py" or into
"tests/**/*.py") so all test files receive the same ignores (include S101, S603,
S607, PLW1510, ERA001, PLR2004, RUF002, RUF012), updating ruff.toml accordingly.

.github/dependabot.yml (1)

66-80: Docker configuration is commented out.

The Docker ecosystem configuration is fully commented out. If Docker is not currently used, consider removing this section entirely to reduce clutter. It can be easily re-added from the template when needed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 66 - 80, Remove the fully commented
Docker dependabot block (the lines containing "#- package-ecosystem: \"docker\""
through the commented "commit-message" subkeys) to reduce clutter; if Docker
support is needed later, restore the block from the dependabot template or
re-add a non-commented package-ecosystem: "docker" section with its schedule,
labels, and commit-message settings.

.github/actions/configure-git-auth/README.md (1)

48-49: Missing blank line before heading.

There's a missing blank line between line 48 and the ## Example Workflow heading on line 49.

📝 Proposed formatting fix

 ... will fail with an authentication error.
+
 ## Example Workflow

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/configure-git-auth/README.md around lines 48 - 49, Add a
single blank line between the preceding paragraph ending with "will fail with an
authentication error." and the heading "## Example Workflow" so the markdown
heading is separated by an empty line; locate the paragraph text and the "##
Example Workflow" heading in README.md and insert one newline to fix the
missing-blank-line formatting.

.gitignore (1)

100-123: Remove duplicate .bandit-baseline.json ignore entry.

The same pattern is listed twice (Line 100 and Line 122). Keep one entry to reduce noise.

Diff

 # Security scanning baselines (regenerate as needed)
 .bandit-baseline.json
@@
-.bandit-baseline.json

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.gitignore around lines 100 - 123, Remove the duplicate
.bandit-baseline.json entry from the .gitignore file by keeping only one
occurrence of ".bandit-baseline.json" (remove the second instance) so the ignore
list contains a single unique entry for that pattern.

.rhiza/requirements/README.md (1)

7-10: Consider generating this dependency summary to avoid drift.

These package lists are easy to get stale. Consider deriving this section from /.rhiza/requirements/*.txt during sync.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.rhiza/requirements/README.md around lines 7 - 10, The README's dependency
summary can become stale; update the sync process to regenerate that section
from the actual files under .rhiza/requirements/*.txt: implement (or hook into
the existing sync script) a routine that reads each requirements file (e.g.,
tests.txt, marimo.txt, docs.txt, tools.txt), computes the human-readable bullet
lines, and replaces the corresponding block in .rhiza/requirements/README.md
during sync; ensure the routine is idempotent, preserves formatting around the
generated block, and is invoked automatically as part of the repository sync
step so the README always reflects the current files.

.rhiza/make.d/marimo.mk (1)

21-26: Consider preserving error output for failed validations.

The validation redirects all output (> /dev/null 2>&1), including error messages. When a notebook fails, developers won't see why. Consider capturing stderr to a log file or only suppressing stdout:

♻️ Optional: Preserve stderr for debugging

-      if NOTEBOOK_OUTPUT_FOLDER="$$artefact_folder" ${UV_BIN} run "$$notebook" > /dev/null 2>&1; then
+      if NOTEBOOK_OUTPUT_FOLDER="$$artefact_folder" ${UV_BIN} run "$$notebook" > /dev/null 2>"$$artefact_folder/stderr.log"; then
         printf "${GREEN}[SUCCESS] $$notebook_name is valid${RESET}\n"; \
       else \
         printf "${RED}[ERROR] $$notebook_name failed validation${RESET}\n"; \
+        printf "${RED}        See $$artefact_folder/stderr.log for details${RESET}\n"; \
         failed=$$((failed + 1)); \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.rhiza/make.d/marimo.mk around lines 21 - 26, The validation currently
discards all output by redirecting both stdout and stderr (the line invoking
${UV_BIN} run with > /dev/null 2>&1), which hides errors when a notebook fails;
change the invocation so stdout is suppressed but stderr is preserved or written
to a per-notebook log (e.g., redirect only stdout to /dev/null and leave stderr,
or redirect stderr to a "${notebook_name}.err" file), ensuring the same logic
that increments failed (variable failed) and prints the success/error messages
for NOTEBOOK_OUTPUT_FOLDER, ${UV_BIN} run, $$notebook and $$notebook_name
remains unchanged.

.rhiza/make.d/quality.mk (1)

13-27: Inconsistent dependency: install-uv vs install.

The deptry and fmt targets depend on install-uv, while license depends on install. This inconsistency may cause issues if install-uv doesn't set up the full environment needed for these tools.

Consider whether all quality targets should depend on install for consistency, or if install-uv is intentionally minimal.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.rhiza/make.d/quality.mk around lines 13 - 27, The deptry and fmt targets
currently depend on install-uv while license depends on install, causing
inconsistency; either make deptry and fmt depend on install (replace install-uv
with install in the deptry and fmt target prerequisites) so all quality targets
use the full install setup, or explicitly document/ensure that install-uv
performs the same environment setup as install; update the prerequisites for the
deptry and fmt targets (deptry, fmt, install-uv, install) accordingly to keep
dependency behavior consistent.

docs/mkdocs-base.yml (1)

63-64: Consider pinning or self-hosting Mermaid JS.

Loading Mermaid from unpkg.com CDN introduces an external dependency. While this is common practice, consider:

• The version is pinned (11.4.0), which is good
• For offline builds or strict CSP environments, self-hosting may be preferred

This is a low-priority consideration and acceptable for most use cases.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/mkdocs-base.yml` around lines 63 - 64, The mkdocs config currently loads
Mermaid from an external CDN via the extra_javascript entry referencing
"https://unpkg.com/mermaid@11.4.0/dist/mermaid.esm.min.mjs"; to address offline
or strict-CSP requirements either replace that URL with a locally hosted copy of
the same file (add the local asset path to extra_javascript and include the file
in your docs/static assets) or configure a pinned, internal CDN endpoint,
ensuring the version (11.4.0) remains explicit; update the extra_javascript
value accordingly and add the Mermaid asset to your build/static assets so
builds do not depend on unpkg.

.github/workflows/rhiza_sync.yml (1)

91-100: Commit message uses HERE-doc with leading whitespace.

The commit message HERE-doc includes leading whitespace which will be part of the commit message body. This may be intentional for formatting, but consider if the indentation should be stripped.

♻️ Alternative: Strip leading whitespace from commit message

           git add -A
-          git commit -m "$(cat <<'EOF'
-          chore: sync rhiza template files
-
-          Automatically synced template files after updating .rhiza/template.yml
-
-          Co-Authored-By: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
-          EOF
-          )"
+          git commit -m "$(cat <<-'EOF'
+	chore: sync rhiza template files
+
+	Automatically synced template files after updating .rhiza/template.yml
+
+	Co-Authored-By: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
+	EOF
+          )"

Using <<- allows leading tabs to be stripped.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/rhiza_sync.yml around lines 91 - 100, The HERE-doc used in
the git commit message (git commit -m "$(cat <<'EOF' ... EOF )") preserves
leading indentation; change the delimiter to a strip-safe form (e.g., use
<<-'EOF' or <<-EOF and indent with tabs) or remove indentation so the commit
body doesn't include unwanted leading whitespace, updating the HEREDOC
invocation around the git commit -m "$(cat <<'EOF' ... )" block accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/actions/configure-git-auth/README.md:
- Around line 79-80: The README contains broken links to
.rhiza/docs/PRIVATE_PACKAGES.md and .rhiza/docs/TOKEN_SETUP.md; either remove
those link lines from the README or replace them with correct existing
documentation references (or restore the missing TEMPLATE files into the repo).
Edit the README entry that currently lists "[PRIVATE_PACKAGES.md] ...
[TOKEN_SETUP.md]" and remove both links if no replacement docs exist, or update
the target paths to the correct docs that do exist in the repository (or ensure
TOKEN_SETUP.md is added back if intended to be present).

In @.github/copilot-instructions.md:
- Around line 129-136: Update the "Project Structure" section by replacing the
`book/` entry with `docs/` and note that documentation now uses MkDocs (e.g.,
change the list item from "`book/`: Documentation source" to something like
"`docs/`: Documentation source (MkDocs)") so the README/guide matches the PR
description; modify the `Project Structure` heading and the bullet list where
`book/` appears to reflect `docs/` and MkDocs.

In @.github/DISCUSSION_TEMPLATE/q-and-a.yml:
- Line 7: Replace the awkward phrase "share how your use-case" in the intro copy
with clearer wording; update the sentence "Welcome! Use this space to ask
questions, share how your use-case, or explore ideas with the community." to
read something like "Welcome! Use this space to ask questions, share your use
case, or explore ideas with the community." to fix the grammar and improve
clarity.

In @.github/hooks/session-end.sh:
- Around line 24-34: The session-end hook calls the make target "test" which is
currently a no-op stub defined as test:: ; @: in .rhiza/make.d/book.mk, so the
hook always reports success; fix by either (A) adding a concrete test recipe
file (create test.mk that overrides the test: target to run your real test
command(s), e.g., invoke pytest/npm test/./run-tests.sh and ensure it's included
by the Makefile so make test actually executes tests) or (B) remove/replace the
gate in .github/hooks/session-end.sh (remove the if ! make test... block or
change it to run a real test command and handle failures) and add a short
comment explaining why the gate was removed/disabled; reference the "test"
target and the session-end hook when making the change.

In @.github/workflows/rhiza_release.yml:
- Around line 408-414: The secret name is inconsistent: the workflow currently
references secrets.uv_extra_index_url but other workflows use
secrets.UV_EXTRA_INDEX_URL; update the export line in the "Sync the virtual
environment for ${{ github.repository }}" step to use secrets.UV_EXTRA_INDEX_URL
(and ensure the exported env var UV_EXTRA_INDEX_URL stays the same) so the
secret resolves consistently across workflows.

In @.github/workflows/rhiza_weekly.yml:
- Around line 100-101: The workflow step named "Run pip-audit" currently runs
"uvx pip-audit" which only audits the tool environment; update this step to
first install or sync the project dependencies (e.g., run your dependency
install/sync step) and then invoke pip-audit against the project dependencies by
passing the requirements file or project path (for example use pip-audit with
"-r requirements.txt" or "--project-path .") instead of auditing the ephemeral
uvx environment.

In @.rhiza/.rhiza-version:
- Line 1: The RHIZA_VERSION fallback in rhiza.mk is outdated; update the
RHIZA_VERSION assignment (the line that uses the shell cat fallback) to use
"0.12.1" instead of "0.10.2" so it reads RHIZA_VERSION ?= $(shell cat
.rhiza/.rhiza-version 2>/dev/null || echo "0.12.1"); modify the RHIZA_VERSION
variable in rhiza.mk accordingly to match .rhiza/.rhiza-version.

In @.rhiza/make.d/book.mk:
- Around line 62-74: The book target invokes ${UVX_BIN} directly but lacks the
install-uv prerequisite, causing failures on fresh checkouts; update the book
target declaration to depend on install-uv (similar to mkdocs-build and
mkdocs-serve) so UVX_BIN is guaranteed installed before running, i.e., add
install-uv to the prerequisites for the book target (referencing the book target
name "book" and the install target "install-uv" and the variable "UVX_BIN") and
keep the existing _book-reports/_book-notebooks prerequisites and build steps
unchanged.
- Around line 46-60: The _book-notebooks target iterates over unguarded globs
which expand to literal strings when empty; update the loops that iterate over
$(MARIMO_FOLDER)/*.py and docs/notebooks/*.html to first check whether the glob
matches any files before looping (e.g. assign the glob to a positional parameter
or var and test [ -e "$first" ] or use a conditional like “for nb in …; do …;
done” only if a file exists). Specifically modify the loop over
MARIMO_FOLDER/*.py (referencing MARIMO_FOLDER, UV_BIN and the marimo export
command) and the loop that builds docs/notebooks.md (referencing
docs/notebooks/*.html) to skip iteration when no files exist and avoid running
commands on literal non-existent paths.

In @.rhiza/make.d/bootstrap.mk:
- Around line 90-92: The git clean exclude patterns in the command string
starting with "@git clean -d -X -f \ -e '!.env' \ -e '!.env.*'" are inverted and
will not protect .env files; remove the leading "!" from those -e patterns so
they read -e '.env' and -e '.env.*' (keeping the quotes/escaping intact) to
properly exclude and protect .env and .env.* from deletion.

In @.rhiza/make.d/quality.mk:
- Line 11: The "all" make target references missing targets causing "make all"
to fail; update the dependency chain by either adding stub targets for
docs-coverage, security, typecheck, and rhiza-test (define targets named
docs-coverage, security, typecheck, rhiza-test as no-op/stub targets) or remove
those names from the all target dependency list so only existing targets (fmt,
deptry, test, license, etc.) are referenced; ensure the changes update the all
target declaration and add corresponding stub target definitions if you choose
the stub approach.

In `@docs/development/MARIMO.md`:
- Line 43: Replace the bare marimo invocation with the project's wrapper: find
occurrences of the literal command "marimo edit" (e.g., at the two spots
flagged) and update them to "uv run --with marimo marimo edit" so the docs match
the project's reproducible tooling; ensure both instances are changed and any
surrounding examples or Makefile-related guidance remain consistent with the
updated command string.

In `@Makefile`:
- Around line 26-29: The Makefile uses bash-only "read -p" on the ADR prompt
lines (the interactive commands that set title and context); either add a
top-level declaration "SHELL := /bin/bash" to force bash for the Makefile, or
replace each "read -p" usage with a POSIX-safe pattern: print the prompt with
printf and then use plain read (e.g., printf "Enter ADR title: " followed by
read -r title) for both the title and context prompts so the Makefile runs under
/bin/sh.
- Around line 35-38: The Makefile's adr target references a non-existent
workflow file name "adr-create.md" (used in the gh workflow run calls); update
the adr target to reference the correct workflow filename "adr-create.yml" (or
remove the adr target entirely if the workflow won't be added) so gh workflow
run calls inside the adr target use "adr-create.yml" instead of "adr-create.md";
look for the gh workflow run lines in the adr target to change all occurrences.

In `@ruff.toml`:
- Around line 117-126: The glob pattern change from "**/marimo/**/*.py" to
"**/notebooks/*.py" in ruff configuration broke the intended exclusions for
Marimo notebooks; revert the exclusion pattern back to "**/marimo/**/*.py" (or,
if notebooks were intentionally moved, update the pattern to the new correct
path and adjust the accompanying comment) so the linter ignores the actual
Marimo notebook Python files (e.g., Experiment1.py..Experiment5.py).

---

Nitpick comments:
In @.github/actions/configure-git-auth/README.md:
- Around line 48-49: Add a single blank line between the preceding paragraph
ending with "will fail with an authentication error." and the heading "##
Example Workflow" so the markdown heading is separated by an empty line; locate
the paragraph text and the "## Example Workflow" heading in README.md and insert
one newline to fix the missing-blank-line formatting.

In @.github/dependabot.yml:
- Around line 66-80: Remove the fully commented Docker dependabot block (the
lines containing "#- package-ecosystem: \"docker\"" through the commented
"commit-message" subkeys) to reduce clutter; if Docker support is needed later,
restore the block from the dependabot template or re-add a non-commented
package-ecosystem: "docker" section with its schedule, labels, and
commit-message settings.

In @.github/workflows/rhiza_sync.yml:
- Around line 91-100: The HERE-doc used in the git commit message (git commit -m
"$(cat <<'EOF' ... EOF )") preserves leading indentation; change the delimiter
to a strip-safe form (e.g., use <<-'EOF' or <<-EOF and indent with tabs) or
remove indentation so the commit body doesn't include unwanted leading
whitespace, updating the HEREDOC invocation around the git commit -m "$(cat
<<'EOF' ... )" block accordingly.

In @.gitignore:
- Around line 100-123: Remove the duplicate .bandit-baseline.json entry from the
.gitignore file by keeping only one occurrence of ".bandit-baseline.json"
(remove the second instance) so the ignore list contains a single unique entry
for that pattern.

In @.rhiza/make.d/marimo.mk:
- Around line 21-26: The validation currently discards all output by redirecting
both stdout and stderr (the line invoking ${UV_BIN} run with > /dev/null 2>&1),
which hides errors when a notebook fails; change the invocation so stdout is
suppressed but stderr is preserved or written to a per-notebook log (e.g.,
redirect only stdout to /dev/null and leave stderr, or redirect stderr to a
"${notebook_name}.err" file), ensuring the same logic that increments failed
(variable failed) and prints the success/error messages for
NOTEBOOK_OUTPUT_FOLDER, ${UV_BIN} run, $$notebook and $$notebook_name remains
unchanged.

In @.rhiza/make.d/quality.mk:
- Around line 13-27: The deptry and fmt targets currently depend on install-uv
while license depends on install, causing inconsistency; either make deptry and
fmt depend on install (replace install-uv with install in the deptry and fmt
target prerequisites) so all quality targets use the full install setup, or
explicitly document/ensure that install-uv performs the same environment setup
as install; update the prerequisites for the deptry and fmt targets (deptry,
fmt, install-uv, install) accordingly to keep dependency behavior consistent.

In @.rhiza/requirements/README.md:
- Around line 7-10: The README's dependency summary can become stale; update the
sync process to regenerate that section from the actual files under
.rhiza/requirements/*.txt: implement (or hook into the existing sync script) a
routine that reads each requirements file (e.g., tests.txt, marimo.txt,
docs.txt, tools.txt), computes the human-readable bullet lines, and replaces the
corresponding block in .rhiza/requirements/README.md during sync; ensure the
routine is idempotent, preserves formatting around the generated block, and is
invoked automatically as part of the repository sync step so the README always
reflects the current files.

In `@docs/mkdocs-base.yml`:
- Around line 63-64: The mkdocs config currently loads Mermaid from an external
CDN via the extra_javascript entry referencing
"https://unpkg.com/mermaid@11.4.0/dist/mermaid.esm.min.mjs"; to address offline
or strict-CSP requirements either replace that URL with a locally hosted copy of
the same file (add the local asset path to extra_javascript and include the file
in your docs/static assets) or configure a pinned, internal CDN endpoint,
ensuring the version (11.4.0) remains explicit; update the extra_javascript
value accordingly and add the Mermaid asset to your build/static assets so
builds do not depend on unpkg.

In `@ruff.toml`:
- Around line 104-116: The two test ignore patterns ("**/tests/**/*.py" and
"tests/**/*.py") are inconsistent and cause different ignore sets for nested vs
root tests; consolidate them by merging the ignore lists under a single pattern
(either unify into "**/tests/**/*.py" or into "tests/**/*.py") so all test files
receive the same ignores (include S101, S603, S607, PLW1510, ERA001, PLR2004,
RUF002, RUF012), updating ruff.toml accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 83dc2315-bae1-4506-9757-f8328a8091d5

📥 Commits

Reviewing files that changed from the base of the PR and between ef6fb34 and 2f7b640.

⛔ Files ignored due to path filters (3)

• .rhiza/assets/rhiza-logo.svg is excluded by !**/*.svg
• .rhiza/template.lock is excluded by !**/*.lock
• docs/assets/rhiza-logo.svg is excluded by !**/*.svg

📒 Files selected for processing (58)

• .github/DISCUSSION_TEMPLATE/q-and-a.yml
• .github/ISSUE_TEMPLATE/bug_report.yml
• .github/ISSUE_TEMPLATE/feature_request.yml
• .github/actions/configure-git-auth/README.md
• .github/actions/configure-git-auth/action.yml
• .github/copilot-instructions.md
• .github/dependabot.yml
• .github/hooks/hooks.json
• .github/hooks/session-end.sh
• .github/hooks/session-start.sh
• .github/secret_scanning.yml
• .github/semgrep.yml
• .github/workflows/copilot-setup-steps.yml
• .github/workflows/rhiza_book.yml
• .github/workflows/rhiza_codeql.yml
• .github/workflows/rhiza_deptry.yml
• .github/workflows/rhiza_marimo.yml
• .github/workflows/rhiza_mypy.yml
• .github/workflows/rhiza_pre-commit.yml
• .github/workflows/rhiza_release.yml
• .github/workflows/rhiza_sync.yml
• .github/workflows/rhiza_validate.yml
• .github/workflows/rhiza_weekly.yml
• .gitignore
• .pre-commit-config.yaml
• .python-version
• .rhiza/.cfg.toml
• .rhiza/.env
• .rhiza/.rhiza-version
• .rhiza/make.d/01-custom-env.mk
• .rhiza/make.d/10-custom-task.mk
• .rhiza/make.d/book.mk
• .rhiza/make.d/bootstrap.mk
• .rhiza/make.d/marimo.mk
• .rhiza/make.d/quality.mk
• .rhiza/make.d/releasing.mk
• .rhiza/requirements/README.md
• .rhiza/requirements/docs.txt
• .rhiza/requirements/tests.txt
• .rhiza/requirements/tools.txt
• .rhiza/rhiza.mk
• .rhiza/scripts/check_workflow_names.py
• .rhiza/scripts/release.sh
• .rhiza/template.yml
• .rhiza/utils/version_matrix.py
• CODE_OF_CONDUCT.md
• CONTRIBUTING.md
• Makefile
• book/README.md
• book/book.mk
• book/marimo/marimo.mk
• book/marimo/notebooks/rhiza.py
• book/minibook-templates/custom.html.jinja2
• docs/development/MARIMO.md
• docs/index.md
• docs/mkdocs-base.yml
• renovate.json
• ruff.toml

💤 Files with no reviewable changes (19)

• CONTRIBUTING.md
• .rhiza/requirements/tests.txt
• .rhiza/make.d/10-custom-task.mk
• book/README.md
• .github/workflows/rhiza_deptry.yml
• CODE_OF_CONDUCT.md
• .github/workflows/rhiza_pre-commit.yml
• renovate.json
• .github/workflows/rhiza_mypy.yml
• .rhiza/make.d/01-custom-env.mk
• book/minibook-templates/custom.html.jinja2
• .github/workflows/rhiza_codeql.yml
• .github/workflows/rhiza_validate.yml
• .rhiza/scripts/check_workflow_names.py
• book/marimo/marimo.mk
• book/marimo/notebooks/rhiza.py
• .rhiza/scripts/release.sh
• .rhiza/utils/version_matrix.py
• book/book.mk

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify referenced documentation files exist
echo "Checking for referenced documentation files..."
for file in ".rhiza/docs/PRIVATE_PACKAGES.md" ".rhiza/docs/TOKEN_SETUP.md"; do
  if [ -f "$file" ]; then
    echo "✓ Found: $file"
  else
    echo "✗ Missing: $file"
  fi
done

Repository: tschm/cs

Length of output: 179

---

🏁 Script executed:

#!/bin/bash
# Check if .rhiza directory exists and its contents
echo "=== Checking .rhiza directory structure ==="
if [ -d ".rhiza" ]; then
  echo "✓ .rhiza directory exists"
  echo ""
  echo "Contents of .rhiza:"
  find .rhiza -type f -o -type d | head -50
else
  echo "✗ .rhiza directory does not exist"
fi

echo ""
echo "=== Searching for PRIVATE_PACKAGES and TOKEN_SETUP mentions ==="
rg "PRIVATE_PACKAGES|TOKEN_SETUP" --type md --type txt 2>/dev/null | head -20

Repository: tschm/cs

Length of output: 677

---

🏁 Script executed:

#!/bin/bash
# Check for docs directory at repository root and search for documentation files
echo "=== Checking for docs directory at repo root ==="
if [ -d "docs" ]; then
  echo "✓ docs directory exists at repo root"
  ls -la docs/ | head -20
else
  echo "✗ No docs directory at repo root"
fi

echo ""
echo "=== Checking for any .md files in .rhiza ==="
find .rhiza -name "*.md" -type f

echo ""
echo "=== Searching all markdown files for PRIVATE_PACKAGES or TOKEN_SETUP ==="
rg "PRIVATE_PACKAGES|TOKEN_SETUP" 2>/dev/null || echo "No matches found"

Repository: tschm/cs

Length of output: 655

---

🏁 Script executed:

#!/bin/bash
# Examine the README file directly to see the context
echo "=== Content of .github/actions/configure-git-auth/README.md (lines 70-85) ==="
sed -n '70,85p' ".github/actions/configure-git-auth/README.md"

echo ""
echo "=== Check if .rhiza/docs directory exists ==="
if [ -d ".rhiza/docs" ]; then
  echo "✓ .rhiza/docs exists"
  ls -la .rhiza/docs/
else
  echo "✗ .rhiza/docs does not exist"
fi

echo ""
echo "=== Search entire codebase for any PRIVATE_PACKAGES or TOKEN_SETUP content ==="
git grep -l "PRIVATE_PACKAGES\|TOKEN_SETUP" 2>/dev/null || echo "No git matches found"

echo ""
echo "=== Check git history for these files ==="
git log --all --full-history -- ".rhiza/docs/PRIVATE_PACKAGES.md" ".rhiza/docs/TOKEN_SETUP.md" 2>/dev/null | head -20 || echo "No git history found"

Repository: tschm/cs

Length of output: 1072

---

🏁 Script executed:

#!/bin/bash
# Check rhiza_sync.yml for context
echo "=== Content of .github/workflows/rhiza_sync.yml ==="
cat .github/workflows/rhiza_sync.yml

echo ""
echo "=== Check .rhiza/history for these files ==="
cat .rhiza/history | grep -i "PRIVATE_PACKAGES\|TOKEN_SETUP" || echo "No matches in history file"

echo ""
echo "=== List all files in .rhiza/history ==="
wc -l .rhiza/history && head -50 .rhiza/history

Repository: tschm/cs

Length of output: 7476

---

Remove or update incorrect documentation references.

The README links to .rhiza/docs/PRIVATE_PACKAGES.md and .rhiza/docs/TOKEN_SETUP.md, but the .rhiza/docs directory doesn't exist. TOKEN_SETUP.md is listed as a template-managed file in .rhiza/history but is missing from the repository (likely excluded by template sync), and PRIVATE_PACKAGES.md is not part of the Rhiza template at all. Either remove these broken links or restore the files from the template.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/configure-git-auth/README.md around lines 79 - 80, The
README contains broken links to .rhiza/docs/PRIVATE_PACKAGES.md and
.rhiza/docs/TOKEN_SETUP.md; either remove those link lines from the README or
replace them with correct existing documentation references (or restore the
missing TEMPLATE files into the repo). Edit the README entry that currently
lists "[PRIVATE_PACKAGES.md] ... [TOKEN_SETUP.md]" and remove both links if no
replacement docs exist, or update the target paths to the correct docs that do
exist in the repository (or ensure TOKEN_SETUP.md is added back if intended to
be present).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Verify project structure documentation accuracy.

The project structure lists book/ as the documentation source directory, but the PR description indicates the book/ tree was removed and documentation moved to MkDocs. Consider updating this to reflect the current structure (likely docs/).

📝 Suggested update

 ## Project Structure
 
 - `src/`: Source code
 - `tests/`: Tests (pytest)
 - `assets/`: Static assets
-- `book/`: Documentation source
+- `docs/`: Documentation source (MkDocs)
 - `docker/`: Docker configuration
 - `.rhiza/`: Rhiza-specific scripts and configurations

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## Project Structure
	- `src/`: Source code
	- `tests/`: Tests (pytest)
	- `assets/`: Static assets
	- `book/`: Documentation source
	- `docker/`: Docker configuration
	- `.rhiza/`: Rhiza-specific scripts and configurations
	## Project Structure
	- `src/`: Source code
	- `tests/`: Tests (pytest)
	- `assets/`: Static assets
	- `docs/`: Documentation source (MkDocs)
	- `docker/`: Docker configuration
	- `.rhiza/`: Rhiza-specific scripts and configurations

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/copilot-instructions.md around lines 129 - 136, Update the "Project
Structure" section by replacing the `book/` entry with `docs/` and note that
documentation now uses MkDocs (e.g., change the list item from "`book/`:
Documentation source" to something like "`docs/`: Documentation source
(MkDocs)") so the README/guide matches the PR description; modify the `Project
Structure` heading and the bullet list where `book/` appears to reflect `docs/`
and MkDocs.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix wording typo in the intro copy.

Line 7 has a grammar issue: “share how your use-case” reads incorrectly and may confuse reporters.

✏️ Suggested copy fix

-        Welcome! Use this space to ask questions, share how your use-case, or explore ideas with the community.
+        Welcome! Use this space to ask questions, share your use case, or explore ideas with the community.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Welcome! Use this space to ask questions, share how your use-case, or explore ideas with the community.
	Welcome! Use this space to ask questions, share your use case, or explore ideas with the community.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/DISCUSSION_TEMPLATE/q-and-a.yml at line 7, Replace the awkward
phrase "share how your use-case" in the intro copy with clearer wording; update
the sentence "Welcome! Use this space to ask questions, share how your use-case,
or explore ideas with the community." to read something like "Welcome! Use this
space to ask questions, share your use case, or explore ideas with the
community." to fix the grammar and improve clarity.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== test target definitions ==="
rg -n '^[[:space:]]*test(::|:)' --glob 'Makefile' --glob '*.mk'

echo
echo "=== dry-run of make test ==="
make -n test

Repository: tschm/cs

Length of output: 83

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Makefile and *.mk files in repo ==="
find . -type f \( -name "Makefile" -o -name "*.mk" \) | sort

echo
echo "=== Search for test target with broader pattern ==="
rg -n 'test[:\s]' --type makefile 2>/dev/null | head -20

echo
echo "=== Check .rhiza/make.d/book.mk specifically ==="
if [ -f ".rhiza/make.d/book.mk" ]; then
    echo "File exists. Content:"
    cat -n ".rhiza/make.d/book.mk"
else
    echo "File does not exist"
fi

echo
echo "=== Try running make test (without -n) to see actual behavior ==="
make test 2>&1 || echo "make test exited with code: $?"

Repository: tschm/cs

Length of output: 308

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Main Makefile ==="
cat -n ./Makefile | head -50

echo
echo "=== .rhiza/make.d/book.mk ==="
cat -n ./.rhiza/make.d/book.mk

echo
echo "=== .rhiza/make.d/quality.mk ==="
cat -n ./.rhiza/make.d/quality.mk | head -40

echo
echo "=== .rhiza/rhiza.mk ==="
cat -n ./.rhiza/rhiza.mk | head -40

Repository: tschm/cs

Length of output: 10102

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Check for test.mk file ==="
find . -name "test.mk" -o -name "*test*.mk" 2>/dev/null | sort

echo
echo "=== Search all .mk files for 'test::' or 'test:' definitions ==="
for mkfile in ./.rhiza/make.d/*.mk ./.rhiza/rhiza.mk ./Makefile; do
  if [ -f "$mkfile" ]; then
    matches=$(grep -n '^test:' "$mkfile" 2>/dev/null || true)
    if [ -n "$matches" ]; then
      echo "Found in $mkfile:"
      echo "$matches"
    fi
  fi
done

echo
echo "=== Check bootstrap.mk and marimo.mk for test references ==="
cat -n ./.rhiza/make.d/bootstrap.mk | grep -i test || echo "No test references in bootstrap.mk"
echo "---"
cat -n ./.rhiza/make.d/marimo.mk | grep -i test || echo "No test references in marimo.mk"

echo
echo "=== Check releasing.mk for test references ==="
cat -n ./.rhiza/make.d/releasing.mk | grep -i test || echo "No test references in releasing.mk"

Repository: tschm/cs

Length of output: 1112

---

The make test target is a no-op stub with no concrete implementation in this repository.

The hook at lines 24-34 will always succeed because make test is defined in .rhiza/make.d/book.mk as an empty stub (test:: ; @:). Since test.mk does not exist in the codebase, the stub is never overridden. This means the if ! make test; check will always pass and print [copilot-hook] [OK] Tests passed even when no tests actually execute, defeating the purpose of this gate.

Either:

• Create a real test.mk with concrete test recipes, or
• Remove the test gate and document why it's disabled

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/hooks/session-end.sh around lines 24 - 34, The session-end hook
calls the make target "test" which is currently a no-op stub defined as test:: ;
@: in .rhiza/make.d/book.mk, so the hook always reports success; fix by either
(A) adding a concrete test recipe file (create test.mk that overrides the test:
target to run your real test command(s), e.g., invoke pytest/npm
test/./run-tests.sh and ensure it's included by the Makefile so make test
actually executes tests) or (B) remove/replace the gate in
.github/hooks/session-end.sh (remove the if ! make test... block or change it to
run a real test command and handle failures) and add a short comment explaining
why the gate was removed/disabled; reference the "test" target and the
session-end hook when making the change.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Inconsistent secret naming convention.

Line 411 uses secrets.uv_extra_index_url (lowercase with underscores), while other workflows in this PR use secrets.UV_EXTRA_INDEX_URL (uppercase). This inconsistency could cause the secret to not resolve if only one naming convention is configured.

📝 Suggested fix for consistency

      - name: "Sync the virtual environment for ${{ github.repository }}"
        shell: bash
        run: |
-          export UV_EXTRA_INDEX_URL="${{ secrets.uv_extra_index_url }}"
+          export UV_EXTRA_INDEX_URL="${{ secrets.UV_EXTRA_INDEX_URL }}"
           # will just use .python-version?
           uv sync --all-extras --all-groups --frozen

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: "Sync the virtual environment for ${{ github.repository }}"
	shell: bash
	run: |
	export UV_EXTRA_INDEX_URL="${{ secrets.uv-extra-index-url }}"
	export UV_EXTRA_INDEX_URL="${{ secrets.uv_extra_index_url }}"
	# will just use .python-version?
	uv sync --all-extras --all-groups --frozen
	- name: "Sync the virtual environment for ${{ github.repository }}"
	shell: bash
	run: |
	export UV_EXTRA_INDEX_URL="${{ secrets.UV_EXTRA_INDEX_URL }}"
	# will just use .python-version?
	uv sync --all-extras --all-groups --frozen

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/rhiza_release.yml around lines 408 - 414, The secret name
is inconsistent: the workflow currently references secrets.uv_extra_index_url
but other workflows use secrets.UV_EXTRA_INDEX_URL; update the export line in
the "Sync the virtual environment for ${{ github.repository }}" step to use
secrets.UV_EXTRA_INDEX_URL (and ensure the exported env var UV_EXTRA_INDEX_URL
stays the same) so the secret resolves consistently across workflows.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for target definitions in all Makefile includes
echo "=== Searching for quality target definitions ==="
for target in fmt deptry test docs-coverage security license typecheck rhiza-test; do
  echo "--- Target: $target ---"
  rg -n "^${target}[[:space:]]*:" --type make || echo "  Not found as primary target"
  rg -n "^${target}::" --type make || echo "  Not found as double-colon target"
done

Repository: tschm/cs

Length of output: 816

---

🏁 Script executed:

#!/bin/bash

# First, list the .rhiza/make.d/ directory to see what Makefiles exist
echo "=== Makefile structure in .rhiza/make.d/ ==="
ls -la .rhiza/make.d/ || echo "Directory not found"
echo ""

# Check what's included in quality.mk
echo "=== Content of quality.mk ==="
cat -n .rhiza/make.d/quality.mk || echo "File not found"
echo ""

# Search for target definitions more broadly (not anchored)
echo "=== Broader search for targets in all Makefiles ==="
for target in fmt deptry test docs-coverage security license typecheck rhiza-test; do
  echo "--- Searching for '$target' target ---"
  rg "${target}\s*:" .rhiza/make.d/ -A 2 || echo "  Not found in .rhiza/make.d/"
done

Repository: tschm/cs

Length of output: 4610

---

🏁 Script executed:

#!/bin/bash

# Check if main Makefile exists at root
echo "=== Main Makefile at repository root ==="
[ -f Makefile ] && ls -la Makefile || echo "No Makefile at root"
echo ""

# Search for missing targets throughout the entire repository
echo "=== Searching for missing targets in entire repository ==="
for target in docs-coverage security typecheck rhiza-test; do
  echo "--- Target: $target ---"
  rg "^\s*${target}\s*:" --type make || echo "  Not found"
done

Repository: tschm/cs

Length of output: 366

---

The all target references four undefined targets; make all will fail.

Line 11 chains eight targets: fmt deptry test docs-coverage security license typecheck rhiza-test. Of these, fmt, deptry, test (stubbed in book.mk), and license exist. However, docs-coverage, security, typecheck, and rhiza-test are not defined anywhere in the repository.

Make will fail when attempting to run make all. Either create stub targets for these (e.g., docs-coverage: ; @:) or remove them from the all dependency chain.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.rhiza/make.d/quality.mk at line 11, The "all" make target references
missing targets causing "make all" to fail; update the dependency chain by
either adding stub targets for docs-coverage, security, typecheck, and
rhiza-test (define targets named docs-coverage, security, typecheck, rhiza-test
as no-op/stub targets) or remove those names from the all target dependency list
so only existing targets (fmt, deptry, test, license, etc.) are referenced;
ensure the changes update the all target declaration and add corresponding stub
target definitions if you choose the stub approach.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, check the current state of the MARIMO.md file
cat -n docs/development/MARIMO.md | head -110

Repository: tschm/cs

Length of output: 3579

---

🏁 Script executed:

# Search for make targets related to marimo
find . -name "*.mk" -o -name "Makefile" | xargs grep -l "marimo" 2>/dev/null

Repository: tschm/cs

Length of output: 101

---

🏁 Script executed:

# Check if there's a .rhiza/make.d/marimo.mk mentioned in the review
cat -n .rhiza/make.d/marimo.mk 2>/dev/null || echo "File not found"

Repository: tschm/cs

Length of output: 2127

---

🏁 Script executed:

# Search for other marimo command invocations in the codebase to understand conventions
rg "marimo\s+(edit|run)" --type md docs/

Repository: tschm/cs

Length of output: 186

---

🏁 Script executed:

# Check how uv run is typically used in the documentation
rg "uv\s+run" --type md docs/ | head -20

Repository: tschm/cs

Length of output: 176

---

Replace bare marimo edit with uv run --with marimo marimo edit for consistency with project tooling.

At lines 43 and 103, the bare marimo command assumes a global installation and diverges from the project's make targets, which invoke marimo through uv run --with marimo. For reproducibility in fresh environments, use the uv run approach.

Suggested fix

-marimo edit docs/notebooks/rhiza.py
+uv run --with marimo marimo edit docs/notebooks/rhiza.py

-   marimo edit docs/notebooks/my_notebook.py
+   uv run --with marimo marimo edit docs/notebooks/my_notebook.py

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	marimo edit docs/notebooks/rhiza.py
	uv run --with marimo marimo edit docs/notebooks/rhiza.py

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/development/MARIMO.md` at line 43, Replace the bare marimo invocation
with the project's wrapper: find occurrences of the literal command "marimo
edit" (e.g., at the two spots flagged) and update them to "uv run --with marimo
marimo edit" so the docs match the project's reproducible tooling; ensure both
instances are changed and any surrounding examples or Makefile-related guidance
remain consistent with the updated command string.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check notebook file locations to verify pattern coverage
echo "Searching for notebook-like Python files..."
fd -e py . -p "marimo|notebook" 2>/dev/null | head -20 || echo "No matches found"
echo ""
echo "Checking for nested notebook directories..."
fd -t d -p "notebooks" 2>/dev/null | while read dir; do
  echo "Directory: $dir"
  find "$dir" -name "*.py" -type f 2>/dev/null | head -5
done

Repository: tschm/cs

Length of output: 208

---

🏁 Script executed:

# Check for Python files in notebooks directories more thoroughly
echo "=== Looking for Python files in notebooks directories ==="
find book/docs/notebooks -name "*.py" -type f 2>/dev/null | head -20

echo ""
echo "=== Checking if notebooks directory has subdirectories with Python files ==="
find book/docs/notebooks -type d | head -20

echo ""
echo "=== Viewing ruff.toml around lines 117-126 ==="
sed -n '110,130p' ruff.toml

echo ""
echo "=== Checking git history for this section ==="
git log -p --follow -S "notebooks" -- ruff.toml 2>/dev/null | head -100

Repository: tschm/cs

Length of output: 1363

---

🏁 Script executed:

# Look for any marimo-related files or patterns in git history
echo "=== Searching for marimo patterns in git history ==="
git log --all -S "marimo" --oneline -- ruff.toml 2>/dev/null | head -10

echo ""
echo "=== Get the full diff for notebook-related changes ==="
git log -p --all -S "notebooks" -- ruff.toml 2>/dev/null | head -200

echo ""
echo "=== Check current directory structure in notebooks ==="
tree -L 3 book/docs/notebooks 2>/dev/null || find book/docs/notebooks -type f | head -20

echo ""
echo "=== Search entire repo for any .py files with marimo or notebook keywords ==="
rg -l "marimo|notebook" --type py | head -20

Repository: tschm/cs

Length of output: 683

---

Pattern change breaks marimo notebook linting exclusions.

The pattern changed from "**/marimo/**/*.py" to "**/notebooks/*.py", which is a critical regression. The actual marimo notebooks are located in book/marimo/ (Experiment1.py through Experiment5.py), not in a notebooks/ directory. The notebooks/ directory exists only at book/docs/notebooks/ and contains markdown files, not Python files. This means the linting rule exclusions no longer apply to any actual Python files in the repository. Consider reverting to "**/marimo/**/*.py" or updating the comment if notebooks were intentionally moved to a different location.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ruff.toml` around lines 117 - 126, The glob pattern change from
"**/marimo/**/*.py" to "**/notebooks/*.py" in ruff configuration broke the
intended exclusions for Marimo notebooks; revert the exclusion pattern back to
"**/marimo/**/*.py" (or, if notebooks were intentionally moved, update the
pattern to the new correct path and adjust the accompanying comment) so the
linter ignores the actual Marimo notebook Python files (e.g.,
Experiment1.py..Experiment5.py).