Skip to content

chore: sync CLAUDE.md from tvna/claude-md master#533

Open
tvna-bot[bot] wants to merge 67 commits into
mainfrom
chore/sync-claude-md
Open

chore: sync CLAUDE.md from tvna/claude-md master#533
tvna-bot[bot] wants to merge 67 commits into
mainfrom
chore/sync-claude-md

Conversation

@tvna-bot

@tvna-bot tvna-bot Bot commented Jul 5, 2026

Copy link
Copy Markdown

Automated sync of CLAUDE.md from the master repository
tvna/claude-md (main).

Source of truth is tvna/claude-md. Review required; do not auto-merge.

Refs #427, #467

claude and others added 30 commits June 5, 2026 23:15
Scope is package management only: bun is used as installer and task
runner, while the Node.js 22 runtime is kept (electron-builder runs
reliably on Node).

- Replace package-lock.json with text-based bun.lock
- package.json: npx cz -> bunx cz
- setup-node action: add oven-sh/setup-bun (pinned v2.2.0),
  bun install --frozen-lockfile, cache key on bun.lock
- build-stlite action: bun run dump/dist, cache keys on bun.lock
- reusable workflow: npm audit -> bun audit --prod --audit-level=high
- dependabot: npm ecosystem -> bun
- flake.nix: add bun, drop npm from claude shell (Node 22 kept)
- pre-commit: npx prettier -> bunx prettier
- docs + workspace: npm references -> bun

No explicit trustedDependencies needed: bun 1.3 default-trusted list
already covers electron (bun pm untrusted reports 0).

https://claude.ai/code/session_01YFVZD2NsVZMoBRP3iuATAi
build: migrate JavaScript package management from npm to bun (#353)
… updates

Bumps the github-actions group with 17 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.13.0` | `2.19.4` |
| [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `6.0.3` |
| [crate-ci/typos](https://github.com/crate-ci/typos) | `1.34.0` | `1.47.2` |
| [gitleaks/gitleaks-action](https://github.com/gitleaks/gitleaks-action) | `2.3.9` | `3.0.0` |
| [github/codeql-action](https://github.com/github/codeql-action) | `3` | `4` |
| [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) | `0.32.0` | `0.36.0` |
| [codecov/test-results-action](https://github.com/codecov/test-results-action) | `1.1.1` | `1.2.1` |
| [codecov/codecov-action](https://github.com/codecov/codecov-action) | `5.4.3` | `6.0.1` |
| [zaproxy/action-full-scan](https://github.com/zaproxy/action-full-scan) | `0.12.0` | `0.13.0` |
| [actions/github-script](https://github.com/actions/github-script) | `7` | `9` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.4.2` | `2.4.3` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `4.3.0` | `8.0.1` |
| [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `2.3.2` | `3.0.0` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.7.1` | `5.0.0` |
| [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) | `2.4.0` | `3.1.0` |
| [madhead/semver-utils](https://github.com/madhead/semver-utils) | `4.3.0` | `5.0.0` |
| [actions/setup-python](https://github.com/actions/setup-python) | `5.6.0` | `6.2.0` |



Updates `step-security/harden-runner` from 2.13.0 to 2.19.4
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@ec9f2d5...9af89fc)

Updates `actions/checkout` from 4.2.2 to 6.0.3
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@11bd719...df4cb1c)

Updates `crate-ci/typos` from 1.34.0 to 1.47.2
- [Release notes](https://github.com/crate-ci/typos/releases)
- [Changelog](https://github.com/crate-ci/typos/blob/master/CHANGELOG.md)
- [Commits](crate-ci/typos@392b78f...37bb988)

Updates `gitleaks/gitleaks-action` from 2.3.9 to 3.0.0
- [Release notes](https://github.com/gitleaks/gitleaks-action/releases)
- [Commits](gitleaks/gitleaks-action@ff98106...e0c47f4)

Updates `github/codeql-action` from 3 to 4
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v3...v4)

Updates `aquasecurity/trivy-action` from 0.32.0 to 0.36.0
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](aquasecurity/trivy-action@dc5a429...ed142fd)

Updates `codecov/test-results-action` from 1.1.1 to 1.2.1
- [Release notes](https://github.com/codecov/test-results-action/releases)
- [Commits](codecov/test-results-action@47f89e9...0fa95f0)

Updates `codecov/codecov-action` from 5.4.3 to 6.0.1
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@18283e0...e79a696)

Updates `zaproxy/action-full-scan` from 0.12.0 to 0.13.0
- [Release notes](https://github.com/zaproxy/action-full-scan/releases)
- [Changelog](https://github.com/zaproxy/action-full-scan/blob/master/CHANGELOG.md)
- [Commits](zaproxy/action-full-scan@v0.12.0...v0.13.0)

Updates `actions/github-script` from 7 to 9
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@v7...v9)

Updates `ossf/scorecard-action` from 2.4.2 to 2.4.3
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](ossf/scorecard-action@05b42c6...4eaacf0)

Updates `actions/download-artifact` from 4.3.0 to 8.0.1
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@d3f86a1...3e5f45b)

Updates `softprops/action-gh-release` from 2.3.2 to 3.0.0
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](softprops/action-gh-release@72f2c25...b430933)

Updates `actions/dependency-review-action` from 4.7.1 to 5.0.0
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@da24556...a1d282b)

Updates `dependabot/fetch-metadata` from 2.4.0 to 3.1.0
- [Release notes](https://github.com/dependabot/fetch-metadata/releases)
- [Commits](dependabot/fetch-metadata@08eff52...25dd0e3)

Updates `madhead/semver-utils` from 4.3.0 to 5.0.0
- [Release notes](https://github.com/madhead/semver-utils/releases)
- [Commits](madhead/semver-utils@36d1e0e...4cf918a)

Updates `actions/setup-python` from 5.6.0 to 6.2.0
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@a26af69...a309ff8)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: crate-ci/typos
  dependency-version: 1.47.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: gitleaks/gitleaks-action
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: codecov/test-results-action
  dependency-version: 1.2.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: codecov/codecov-action
  dependency-version: 6.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: zaproxy/action-full-scan
  dependency-version: 0.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/github-script
  dependency-version: '9'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: ossf/scorecard-action
  dependency-version: 2.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: softprops/action-gh-release
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/dependency-review-action
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: dependabot/fetch-metadata
  dependency-version: 3.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: madhead/semver-utils
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-python
  dependency-version: 6.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
…ithub-actions-955e06a7b8

chore(deps): bump the github-actions group across 1 directory with 17 updates
Measured run #354 (~13min): E2E (max 560s) and ZAP (506s) dominate;
unit/edge-case/coverage already parallelized (30-42s). Design proposes
umbrella + 3 sub-issues: DAG restructuring + coverage dedup, E2E matrix
redesign + sharding, ZAP/build gate decoupling. Invariants: keep 404
edge-case tests, coverage target 80%, and multi-layer security intact.

https://claude.ai/code/session_0196J9gGWw3bb9RhocnCTDad
…360)

Self-review found the critical path (guards->unit->E2E) is unchanged
unless E2E itself decouples from small-unit-test. Decision: keep the E2E
gate (good billable fail-fast) and implement sub-2 (E2E matrix redesign)
first as the real wall-clock lever. Plan adopts option 3: full E2E on
ubuntu across all browsers + windows chromium smoke subset, with
measurement-driven harden-runner egress audit->block.

https://claude.ai/code/session_0196J9gGWw3bb9RhocnCTDad
Resolve conflicts from develop's npm->bun migration (#353): adopt bun
package management wholesale (take develop's package.json, accept
package-lock.json deletion, bring in bun.lock). sub-2 E2E changes are
untouched by the conflict and verified intact post-merge:
- test-e2e matrix: ubuntu x{chromium,firefox,webkit} + windows smoke
- test-marker input, smoke marker (smoke=3 / e2e=33 collected)
- harden-runner SHA advanced to develop's bumped pin; egress audit spike preserved

https://claude.ai/code/session_0196J9gGWw3bb9RhocnCTDad
ubuntu webkit crashes at launch on every test
(playwright TargetClosedError: browser closed), while chromium and
firefox pass on the same ubuntu runner under the same harden-runner
audit policy. This is a webkit-on-Linux launch issue, not egress/harden.
Move webkit to macOS (its native engine, proven stable); keep chromium
and firefox on ubuntu (fast, 1x). Full e2e coverage across all three
browsers is preserved.

https://claude.ai/code/session_0196J9gGWw3bb9RhocnCTDad
Task 6: revert the ubuntu E2E harden-runner egress spike from audit back
to the block default, with an allowed-endpoints set derived from the
audit insights of the passing ubuntu chromium job (python/uv, playwright
CDN, apt mirrors incl. ubuntu/microsoft/google, actions cache, Streamlit).
GH/harden internal endpoints are permitted by harden-runner in block mode.

Add a deterministic guard in guard-workflow that fails CI if any
harden-runner step in this reusable workflow hardcodes egress-policy:
audit, so the spike can never merge unreverted (anchored grep avoids
matching its own message text).

https://claude.ai/code/session_0196J9gGWw3bb9RhocnCTDad
ci(e2e): E2Eマトリクス再設計でCI時間短縮 (ubuntu集約 + windowsスモーク)
Bumps the github-actions group with 1 update: [codecov/codecov-action](https://github.com/codecov/codecov-action).


Updates `codecov/codecov-action` from 6.0.1 to 7.0.0
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@e79a696...fb8b358)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
…ithub-actions-63603d1b79

chore(deps): bump codecov/codecov-action from 6.0.1 to 7.0.0 in the github-actions group
The pip ecosystem bumps pyproject.toml constraints but never regenerates
uv.lock, so every Python Dependabot PR lands with a stale lockfile and CI
fails at `uv sync --locked` (seen on #364). Dependabot's uv ecosystem reads
pyproject.toml and maintains uv.lock in lockstep, removing the recurring
manual `uv lock` repair.

- package-ecosystem: pip -> uv
- group name: pip -> uv

No change to schedule, grouping, target-branch, or the other ecosystems.
)

`security-updates` is not a valid property in the Dependabot updates schema,
so the `.github/dependabot.yml` validation check failed once this PR touched
the file:

  The property '#/updates/N/' contains additional properties
  ["security-updates"] outside of the schema when none are allowed

The key was a pre-existing no-op on all four update entries (Dependabot
security updates are controlled by repository security settings, not this
field), so removing it is behavior-preserving and clears the validation error.
ci(deps): switch Dependabot from pip to uv ecosystem (#379)
Supersedes #364: handle chardet 5->7 migration together with all 31
pip-group bumps in one PR. Records the chardet 5 vs 7 detection-behavior
investigation and the approved transcoder design.
Re-applies the 30 non-chardet bumps from #364 (mypy 1->2, ruff 0.15,
pandas-stubs 3, packaging 26, pytest-playwright 0.8, etc.) plus the
pydantic 2.13.4 bump and its error-doc URL fixture. chardet held at 5.x
in this commit; migrated in the next. Supersedes #364.
chardet 7 removes chardet.resultdict and changes detection behavior.
Drop the ResultDict TYPE_CHECKING import (use chardet.DetectionDict).
detect_encoding now returns None when none of the supported encodings can
decode the bytes, instead of echoing chardet's arbitrary low-confidence
guess: binary detection is version-independent and core.py's deny-fallback
is hardened. Update 10 transcoder expectations to chardet 7's more-correct
behavior (empty->utf-8, large_binary->None, music note->correct shift_jis).
Supersedes #364.
crate-ci/typos (Guard workflow files CI job) flags 'mis-detected' as a
misspelling of 'miss/mist'. Reword to 'wrongly detected'.
chardet 5 -> 7 migration + consolidated Dependabot pip-group bumps (#382)
…y/lint-staged (#385)

Bump devDependencies to their newest versions published on or before
2026-06-03 (7-day release cooldown):
- @commitlint/{cli,config-conventional,cz-commitlint} 19.8.1 -> 21.0.2
- @stlite/desktop 0.85.1 -> 0.101.0
- cross-env 7.0.3 -> 10.1.0
- electron 37.2.3 -> 42.3.2 (exact-pinned; 42.4.0 within cooldown)
- electron-builder 26.0.12 -> 26.14.0 (exact-pinned; 26.15.2 within cooldown)
- prettier 3.6.2 -> 3.8.3 (exact-pinned; 3.8.4 within cooldown)
- prettier-plugin-sort-json 4.1.1 -> 4.2.0
- rimraf 6.0.1 -> 6.1.3

Clean up bun-migration remnants: remove the vestigial husky and
lint-staged devDependencies and the dead "hooks" block (pre-commit is
owned by .pre-commit-config.yaml), and add .bun-version (1.3.11) to match
the CI oven-sh/setup-bun pin.

https://claude.ai/code/session_0173cUF33ZhCBywudTqamivV
chore(deps): bump node devDependencies (7-day cooldown) and clean up bun-migration remnants
Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout).


Updates `actions/checkout` from 6.0.3 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@df4cb1c...9c091bb)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
claude and others added 21 commits July 2, 2026 13:36
scripts/gen_superpowers_manifest.py and scripts/flake_pin.py are
unchanged copies of main's files, but this is their first Pyre scan
on develop, so code-scanning reported them as new alerts. Annotate
the flagged module-level constants (Path, re.Pattern[str]) to
satisfy Pyre's strict-mode missing-global-annotation check.

Refs #496
feat: merge main into develop, retire Streamlit/Electron artifacts (D1)
The D1 merge (PR #497) intended to fully retire bun in favor of
main's npm tooling, but docs/runbooks/commands.md,
docs/standards/package-management.md, and docs/standards/README.md
auto-merged to develop's old bun-based content instead of main's.
Restore main's npm-based content in these 3 files; develop now
matches main byte-for-byte except the 4 salvaged dependency bumps
and the Pyre annotation fixes from PR #497.

Refs #496
fix: restore npm-based docs left over from the bun-era develop branch
…9gzvkb

feat: add AI-infrastructure template series (DGX Spark + ollama, zero-trust access) (#494)
Migrates both the root package.json and web/package.json from npm to
bun as the package manager. Re-implements the design from the stale
claude/npm-to-bun-migration-dnNwn branch (which forked from main
before the Streamlit-to-Vercel rewrite) against the current tree,
rather than rebasing that branch directly.

- Replace package-lock.json / web/package-lock.json with bun.lock /
  web/bun.lock.
- .github/actions/setup-node: install bun via oven-sh/setup-bun,
  cache keyed on bun.lock, bun install --frozen-lockfile.
- reusable-test-and-build.yml: npm audit -> bun audit.
- web-ci.yml: both jobs use oven-sh/setup-bun; npm ci/run/npx ->
  bun install/run/bunx.
- .pre-commit-config.yaml: local prettier hooks use bunx.
- flake.nix: add bun to sharedPackages, drop the npm-only package
  from the claude devShell (root and web both use bun now).
- .github/dependabot.yml: do NOT rename the npm ecosystem to `bun`.
  #367 already established that `package-ecosystem: bun` is not a
  Dependabot-supported value and fails schema validation. Removed
  the JS ecosystem entry instead, with a note explaining why, until
  Dependabot supports bun natively.
- scripts/apply_version.mjs: dropped the package-lock.json version
  sync path (dead code now that the file never exists; bun.lock has
  no per-package version field to keep in sync). Updated the
  corresponding test and .releaserc.json's release assets list.
- docs (package-management.md, commands.md, runbooks, workspace
  file, README): updated npm references to bun.

Verified: root `bun install` / `bun pm untrusted` (0 untrusted) /
`bun audit --prod --audit-level=high` (clean) / pre-commit run
(scoped to changed files, all green, 425 tests passed). web/ `bun
install` / `bun pm untrusted` (0 untrusted) / `bun run build` /
`bunx vitest run` (39 passed, 5 skipped; 1 pre-existing
environment-only failure from sandboxed network blocking pyodide
wheel vendoring, same as documented in PR #495, unrelated to this
change).

IMPORTANT — manual follow-up required before merge: web/ is deployed
via Vercel with Install Command explicitly pinned to `npm ci` in the
project dashboard. That dashboard setting is not managed in this
repo and must be updated to `bun install --frozen-lockfile` (Build
Command to `bun run build`) before this merges, or the Vercel build
will break once package-lock.json is gone. See
docs/runbooks/vercel-deploy.md for the updated reference commands.

Refs #353
build: migrate JavaScript package management from npm to bun (#353)
`.github/rulesets/all-branches.json`(force-push禁止、上流tvna/claude-mdから
そのまま同期)と`.github/rulesets/main.json`(PR必須・線形履歴・署名必須・
必須ステータスチェック1件、command-ghostwriter用にローカルで新規作成)を
追加し、GitHub Repository Rulesets APIへplan/applyする簡略版ハーネス
(scripts/rulesets_apply.py + .github/workflows/apply-rulesets.yml)を
上流tvna/claude-mdの簡略版として移植する。all-branches.jsonのみを
sync-agent-instructions.ymlのsync-rulesetsジョブで自動追従させ、
main.jsonは(required_status_checksがリポジトリ固有のため)同期対象外とする。

PAT発行手順をdocs/runbooks/rulesets.mdに記録する(CLAUDE.md 4章の
秘密情報発行経路明記の要件に準拠)。

副次的に、.pre-commit-config.yamlのprettier-github-actions-yamlフックが
entryに`./.github`ディレクトリを直書きしていたため、pre-commit自身が
渡すtypes: yamlフィルタを無視してprettierが`.github/`配下の.jsonファイルまで
再帰的に拾い、--parser=yamlで不正なトレイリングカンマ入りJSONへ書き換えて
しまう既存バグを発見・修正した(entryから`./.github`を削除し、
pre-commitが渡すyamlファイルのみを対象にする)。

本コミットのみではmainは保護されない。実際に有効化するには、オーナーが
RULESETS_PAT(Administration: Read and write, Metadata: Read-only、
tvna/command-ghostwriter限定のfine-grained PAT)を発行・登録し、
apply-rulesets.ymlをdry_run: falseで手動dispatchする必要がある。

Refs #503
RULESETS_PATをworkflow-level envから、実際に必要な"Guard RULESETS_PAT"と
"Plan and apply rulesets"の2ステップのみのstep-level envへ移動する。
checkout・setup-pythonなど無関係なステップにAdministration: Read/writeの
PATを晒さないため。

rulesets_apply.pyのfetch_live_rulesetsにincludes_parents=falseを追加し、
org-owned repoで同名のorg親rulesetが誤ってマッチしPUT先を誤ることを防ぐ
(tvnaは個人アカウントのため現状は発火しないが、防御的に追加)。

いずれもPR #504へのCodexレビュー指摘(P2)。

Refs #503
CIのGuard workflow filesジョブでtyposツールが"mis-route"を
"miss"/"mist"のtypoとして検出し失敗していた。コメントの表現を変更する。

Refs #503
Codexレビュー指摘(PR #504、peter-evans/create-pull-requestのソース
コードで検証済み): sync-claude-md・sync-apm-skills・sync-rulesetsの
各ジョブはPRブランチを2回目以降更新する際に必ずforce-push相当の操作
(signed commitsの場合はGitHub APIのupdateRef force:true)を行うため、
all-branches.jsonのnon_fast_forwardルールを適用すると、既存PRが未
マージのまま次回スケジュール実行を迎えた際に週次sync PRの更新が
失敗する。

all-branches.jsonのexcludeにrefs/heads/chore/sync-*を追加する。この
除外は上流tvna/claude-mdには存在しないローカル追加のため、
sync-rulesetsジョブが上流ファイルをコピーした直後にPythonで決定的に
再付与するようにし(人間が気付いて手動で足し直す運用には頼らない)、
PR本文にも自己点検の一文を追加する。

Refs #503
Bumps the github-actions group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.13.0` | `2.19.4` |
| [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `7.0.0` |
| [actions/github-script](https://github.com/actions/github-script) | `7.0.1` | `9.0.0` |
| [madhead/semver-utils](https://github.com/madhead/semver-utils) | `4.3.0` | `5.0.0` |
| [actions/setup-python](https://github.com/actions/setup-python) | `5.6.0` | `6.3.0` |


Updates `step-security/harden-runner` from 2.13.0 to 2.19.4
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@v2.13.0...9af89fc)

Updates `actions/checkout` from 4.2.2 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4.2.2...9c091bb)

Updates `actions/github-script` from 7.0.1 to 9.0.0
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@v7.0.1...v9)

Updates `madhead/semver-utils` from 4.3.0 to 5.0.0
- [Release notes](https://github.com/madhead/semver-utils/releases)
- [Commits](madhead/semver-utils@36d1e0e...4cf918a)

Updates `actions/setup-python` from 5.6.0 to 6.3.0
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@a26af69...ece7cb0)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/github-script
  dependency-version: 9.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: madhead/semver-utils
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-python
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
…ithub-actions-136b7e9fb2

build(deps): bump the github-actions group with 5 updates
ci(rulesets): protect main via ruleset sync + local apply harness (#503)
Redo of the earlier attempt (PR #519, closed): that PR was built from
main's copy of this file (2 jobs, already on App tokens from #511/#512)
and incorrectly targeted main as its own PR base, when claude/* branches
in this repo are supposed to target develop.

develop's actual copy of this file had diverged further than expected:
it carries a third job (sync-rulesets, from #503/#504) that main never
received, and none of its three jobs had the App-token fix at all (still
on GITHUB_TOKEN, same mergeable_state: blocked bug class as #510).

This commit is built directly from develop's content and applies, to all
three jobs (sync-claude-md, sync-apm-skills, sync-rulesets):
- actions/create-github-app-token minting, replacing GITHUB_TOKEN
- an explicit ref: develop on the initial checkout step (schedule /
  workflow_dispatch triggers otherwise default to checking out main,
  which would leave the diff/commit basis on the wrong branch even
  after retargeting the PR itself)
- base: main -> base: develop on the peter-evans/create-pull-request step

main keeps receiving these updates only via the existing version-gated
develop -> main release-promotion job, per the owner's explicit decision.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Lmf3s99U3jTwMjFDEVUYdJ
…-97xtty

ci: App-token + develop-target all 3 sync-agent-instructions jobs (#518)
- useGenerate: expose worker `ready` so the output pane can distinguish
  loading from ready.
- Editor: show an "initializing" spinner + status while Pyodide bootstraps
  (only while genuinely loading; a bootstrap error still surfaces as an
  error), and disable copy/save until ready.
- Editor: make the center splitter draggable via a pointer handler that
  reallocates the pane-width fraction, clamped to 20%-80%.
- Editor: add user-select:none to the app bar, pane headers, and status
  bars so they are clickable but not drag-selectable.
- EmptyState: stack the concept-diagram cards vertically and rotate the
  flow arrow when the viewport is too narrow for a single row.

Refs #529, #441

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AnNqAtPC31wodDZmYiRgz4
…ready (#529)

Address Codex review on #530: the output pane gates its loading state on
`ready`, but between the worker's `ready` message and the first debounced
generate result, `raw` is still null and shapeResult() returns an
empty-but-"ok" value. In that window the pane rendered an empty result with
copy/save enabled, letting the user copy/download empty output.

Gate on `ready && raw !== null` so the initializing state (and disabled
copy/save) persists until the first result or error actually arrives. A
bootstrap error sets `raw`, so it still surfaces via the normal error path
rather than spinning forever.

Add a regression test that drives the mocked worker through
mount -> ready -> first result and asserts the pane stays in the
initializing/disabled state across the ready-but-no-result window.

Refs #530

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AnNqAtPC31wodDZmYiRgz4
Address self-review findings on #530:

- Splitter drag no longer leaks on unmount: the window pointer listeners and
  the global body cursor/user-select are torn down via a ref-held cleanup tied
  to component lifetime (useEffect), plus a pointercancel handler, so an
  Editor unmount mid-drag can't strand the whole app in a col-resize cursor
  with text globally unselectable.
- Splitter drag no longer re-renders the whole editor tree per pointermove:
  the grid template is mutated imperatively via requestAnimationFrame during
  the drag and committed to state once on pointer-up. Columns are applied from
  a layout effect (not React inline style) so an unrelated re-render mid-drag
  can't clobber the in-progress value.
- Init spinner respects prefers-reduced-motion: instead of merely slowing the
  rotation, it switches to a gentle opacity pulse (no rotation), consistent
  with the file's reduced-motion posture for every other animation.

Refs #530

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AnNqAtPC31wodDZmYiRgz4
feat(web): editor UX polish for the 2-pane editor (#529)
…name, download rework, splitter clamp (#532)

- Entrance animations for the empty screen, how-to modal, and settings
  modal (fade/scale-in; honors prefers-reduced-motion by snapping to the
  final visible state so a fade-in never leaves an element invisible).
- Replace the empty-screen tagline "設定定義 × テンプレート → 再現可能なコマンド"
  with the value-forward "値を変えるだけで、コマンドも手順書も。".
- App-bar filename is now an editable field and is the download filename
  base; the download-filename input is removed from the settings modal.
- Download extension is derived from the output mode (手順書 → .md,
  Raw → .txt) instead of a settings radio; the save button moves to the
  pane footer, copy stays in the header. DownloadOptions drops fname/ext.
- Clamp the splitter with per-side minimum widths so neither pane header
  clips (the left header is wider than the right); falls back to 50/50
  when the window is too small to grant both floors.

Item 3 (template sub-categories) is intentionally not included: no such
implementation exists in git history (see #532), so it is a new feature
pending an owner decision rather than a restoration.

Refs #532, #529

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AnNqAtPC31wodDZmYiRgz4
@vercel

vercel Bot commented Jul 5, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
command-ghostwriter Error Error Jul 5, 2026 6:05pm

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

claude and others added 4 commits July 5, 2026 22:21
Implements item 3 as a new feature (no prior implementation existed in
history — see #532). Adds a required `subCategory` field to Template and
groups the library card grid into sub-category sections with headings +
counts. Sub-categories follow each category's natural technical axis:
network by vendor/product (Cisco, YAMAHA, firewalld), server by distro
(Ubuntu / Debian), DNS by software (BIND), runbooks by target system
(ネットワーク, プロキシ / Web), AI infra by product (NVIDIA DGX,
step-ca / Caddy). Groups are ordered by category (so same-category
sub-categories stay adjacent, incl. the "すべて" view) then by first
appearance; the left category rail is unchanged.

Refs #532

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AnNqAtPC31wodDZmYiRgz4
#532)

- Splitter floors are now re-clamped on window resize, not only during a
  pointer drag: dragging wide then shrinking the window could otherwise drop
  a pane below its min width and clip its header (the exact case the floors
  exist to prevent).
- The footer save-button label no longer misrepresents the saved file: it is
  built from the same sanitized base as the download and discloses the
  timestamp suffix as "(+日時)" (instead of a concrete time that would drift
  from the click-time value) when the timestamp toggle is on.
- The document name is sanitized (path separators / reserved punctuation /
  leading dots stripped) before it becomes the <a download> filename, so a
  typed name like "report/v2" can't produce a broken, OS-dependent name.
- The filename input gains a maxLength and the footer label truncates a long
  base, so a very long name can't overflow the footer. The input shows a
  "command" placeholder so an emptied field matches the download fallback.

Adds component tests for the sanitize, empty-fallback, and timestamp-note
behavior; the resize re-clamp is verified end-to-end in the browser.

Refs #532

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AnNqAtPC31wodDZmYiRgz4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants