chore: sync CLAUDE.md from tvna/claude-md master#533
Open
tvna-bot[bot] wants to merge 67 commits into
Open
Conversation
Scope is package management only: bun is used as installer and task runner, while the Node.js 22 runtime is kept (electron-builder runs reliably on Node). - Replace package-lock.json with text-based bun.lock - package.json: npx cz -> bunx cz - setup-node action: add oven-sh/setup-bun (pinned v2.2.0), bun install --frozen-lockfile, cache key on bun.lock - build-stlite action: bun run dump/dist, cache keys on bun.lock - reusable workflow: npm audit -> bun audit --prod --audit-level=high - dependabot: npm ecosystem -> bun - flake.nix: add bun, drop npm from claude shell (Node 22 kept) - pre-commit: npx prettier -> bunx prettier - docs + workspace: npm references -> bun No explicit trustedDependencies needed: bun 1.3 default-trusted list already covers electron (bun pm untrusted reports 0). https://claude.ai/code/session_01YFVZD2NsVZMoBRP3iuATAi
build: migrate JavaScript package management from npm to bun (#353)
… updates Bumps the github-actions group with 17 updates in the / directory: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.13.0` | `2.19.4` | | [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `6.0.3` | | [crate-ci/typos](https://github.com/crate-ci/typos) | `1.34.0` | `1.47.2` | | [gitleaks/gitleaks-action](https://github.com/gitleaks/gitleaks-action) | `2.3.9` | `3.0.0` | | [github/codeql-action](https://github.com/github/codeql-action) | `3` | `4` | | [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) | `0.32.0` | `0.36.0` | | [codecov/test-results-action](https://github.com/codecov/test-results-action) | `1.1.1` | `1.2.1` | | [codecov/codecov-action](https://github.com/codecov/codecov-action) | `5.4.3` | `6.0.1` | | [zaproxy/action-full-scan](https://github.com/zaproxy/action-full-scan) | `0.12.0` | `0.13.0` | | [actions/github-script](https://github.com/actions/github-script) | `7` | `9` | | [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.4.2` | `2.4.3` | | [actions/download-artifact](https://github.com/actions/download-artifact) | `4.3.0` | `8.0.1` | | [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `2.3.2` | `3.0.0` | | [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.7.1` | `5.0.0` | | [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) | `2.4.0` | `3.1.0` | | [madhead/semver-utils](https://github.com/madhead/semver-utils) | `4.3.0` | `5.0.0` | | [actions/setup-python](https://github.com/actions/setup-python) | `5.6.0` | `6.2.0` | Updates `step-security/harden-runner` from 2.13.0 to 2.19.4 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@ec9f2d5...9af89fc) Updates `actions/checkout` from 4.2.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...df4cb1c) Updates `crate-ci/typos` from 1.34.0 to 1.47.2 - [Release notes](https://github.com/crate-ci/typos/releases) - [Changelog](https://github.com/crate-ci/typos/blob/master/CHANGELOG.md) - [Commits](crate-ci/typos@392b78f...37bb988) Updates `gitleaks/gitleaks-action` from 2.3.9 to 3.0.0 - [Release notes](https://github.com/gitleaks/gitleaks-action/releases) - [Commits](gitleaks/gitleaks-action@ff98106...e0c47f4) Updates `github/codeql-action` from 3 to 4 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v3...v4) Updates `aquasecurity/trivy-action` from 0.32.0 to 0.36.0 - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@dc5a429...ed142fd) Updates `codecov/test-results-action` from 1.1.1 to 1.2.1 - [Release notes](https://github.com/codecov/test-results-action/releases) - [Commits](codecov/test-results-action@47f89e9...0fa95f0) Updates `codecov/codecov-action` from 5.4.3 to 6.0.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@18283e0...e79a696) Updates `zaproxy/action-full-scan` from 0.12.0 to 0.13.0 - [Release notes](https://github.com/zaproxy/action-full-scan/releases) - [Changelog](https://github.com/zaproxy/action-full-scan/blob/master/CHANGELOG.md) - [Commits](zaproxy/action-full-scan@v0.12.0...v0.13.0) Updates `actions/github-script` from 7 to 9 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@v7...v9) Updates `ossf/scorecard-action` from 2.4.2 to 2.4.3 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@05b42c6...4eaacf0) Updates `actions/download-artifact` from 4.3.0 to 8.0.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@d3f86a1...3e5f45b) Updates `softprops/action-gh-release` from 2.3.2 to 3.0.0 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@72f2c25...b430933) Updates `actions/dependency-review-action` from 4.7.1 to 5.0.0 - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@da24556...a1d282b) Updates `dependabot/fetch-metadata` from 2.4.0 to 3.1.0 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@08eff52...25dd0e3) Updates `madhead/semver-utils` from 4.3.0 to 5.0.0 - [Release notes](https://github.com/madhead/semver-utils/releases) - [Commits](madhead/semver-utils@36d1e0e...4cf918a) Updates `actions/setup-python` from 5.6.0 to 6.2.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@a26af69...a309ff8) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.19.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: crate-ci/typos dependency-version: 1.47.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: gitleaks/gitleaks-action dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: aquasecurity/trivy-action dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: codecov/test-results-action dependency-version: 1.2.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: codecov/codecov-action dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: zaproxy/action-full-scan dependency-version: 0.13.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/github-script dependency-version: '9' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: softprops/action-gh-release dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/dependency-review-action dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: dependabot/fetch-metadata dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: madhead/semver-utils dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-python dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
…ithub-actions-955e06a7b8 chore(deps): bump the github-actions group across 1 directory with 17 updates
Measured run #354 (~13min): E2E (max 560s) and ZAP (506s) dominate; unit/edge-case/coverage already parallelized (30-42s). Design proposes umbrella + 3 sub-issues: DAG restructuring + coverage dedup, E2E matrix redesign + sharding, ZAP/build gate decoupling. Invariants: keep 404 edge-case tests, coverage target 80%, and multi-layer security intact. https://claude.ai/code/session_0196J9gGWw3bb9RhocnCTDad
…360) Self-review found the critical path (guards->unit->E2E) is unchanged unless E2E itself decouples from small-unit-test. Decision: keep the E2E gate (good billable fail-fast) and implement sub-2 (E2E matrix redesign) first as the real wall-clock lever. Plan adopts option 3: full E2E on ubuntu across all browsers + windows chromium smoke subset, with measurement-driven harden-runner egress audit->block. https://claude.ai/code/session_0196J9gGWw3bb9RhocnCTDad
Resolve conflicts from develop's npm->bun migration (#353): adopt bun package management wholesale (take develop's package.json, accept package-lock.json deletion, bring in bun.lock). sub-2 E2E changes are untouched by the conflict and verified intact post-merge: - test-e2e matrix: ubuntu x{chromium,firefox,webkit} + windows smoke - test-marker input, smoke marker (smoke=3 / e2e=33 collected) - harden-runner SHA advanced to develop's bumped pin; egress audit spike preserved https://claude.ai/code/session_0196J9gGWw3bb9RhocnCTDad
ubuntu webkit crashes at launch on every test (playwright TargetClosedError: browser closed), while chromium and firefox pass on the same ubuntu runner under the same harden-runner audit policy. This is a webkit-on-Linux launch issue, not egress/harden. Move webkit to macOS (its native engine, proven stable); keep chromium and firefox on ubuntu (fast, 1x). Full e2e coverage across all three browsers is preserved. https://claude.ai/code/session_0196J9gGWw3bb9RhocnCTDad
Task 6: revert the ubuntu E2E harden-runner egress spike from audit back to the block default, with an allowed-endpoints set derived from the audit insights of the passing ubuntu chromium job (python/uv, playwright CDN, apt mirrors incl. ubuntu/microsoft/google, actions cache, Streamlit). GH/harden internal endpoints are permitted by harden-runner in block mode. Add a deterministic guard in guard-workflow that fails CI if any harden-runner step in this reusable workflow hardcodes egress-policy: audit, so the spike can never merge unreverted (anchored grep avoids matching its own message text). https://claude.ai/code/session_0196J9gGWw3bb9RhocnCTDad
ci(e2e): E2Eマトリクス再設計でCI時間短縮 (ubuntu集約 + windowsスモーク)
Bumps the github-actions group with 1 update: [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `codecov/codecov-action` from 6.0.1 to 7.0.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@e79a696...fb8b358) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
…ithub-actions-63603d1b79 chore(deps): bump codecov/codecov-action from 6.0.1 to 7.0.0 in the github-actions group
The pip ecosystem bumps pyproject.toml constraints but never regenerates uv.lock, so every Python Dependabot PR lands with a stale lockfile and CI fails at `uv sync --locked` (seen on #364). Dependabot's uv ecosystem reads pyproject.toml and maintains uv.lock in lockstep, removing the recurring manual `uv lock` repair. - package-ecosystem: pip -> uv - group name: pip -> uv No change to schedule, grouping, target-branch, or the other ecosystems.
) `security-updates` is not a valid property in the Dependabot updates schema, so the `.github/dependabot.yml` validation check failed once this PR touched the file: The property '#/updates/N/' contains additional properties ["security-updates"] outside of the schema when none are allowed The key was a pre-existing no-op on all four update entries (Dependabot security updates are controlled by repository security settings, not this field), so removing it is behavior-preserving and clears the validation error.
ci(deps): switch Dependabot from pip to uv ecosystem (#379)
Supersedes #364: handle chardet 5->7 migration together with all 31 pip-group bumps in one PR. Records the chardet 5 vs 7 detection-behavior investigation and the approved transcoder design.
chardet 7 removes chardet.resultdict and changes detection behavior. Drop the ResultDict TYPE_CHECKING import (use chardet.DetectionDict). detect_encoding now returns None when none of the supported encodings can decode the bytes, instead of echoing chardet's arbitrary low-confidence guess: binary detection is version-independent and core.py's deny-fallback is hardened. Update 10 transcoder expectations to chardet 7's more-correct behavior (empty->utf-8, large_binary->None, music note->correct shift_jis). Supersedes #364.
crate-ci/typos (Guard workflow files CI job) flags 'mis-detected' as a misspelling of 'miss/mist'. Reword to 'wrongly detected'.
chardet 5 -> 7 migration + consolidated Dependabot pip-group bumps (#382)
…y/lint-staged (#385) Bump devDependencies to their newest versions published on or before 2026-06-03 (7-day release cooldown): - @commitlint/{cli,config-conventional,cz-commitlint} 19.8.1 -> 21.0.2 - @stlite/desktop 0.85.1 -> 0.101.0 - cross-env 7.0.3 -> 10.1.0 - electron 37.2.3 -> 42.3.2 (exact-pinned; 42.4.0 within cooldown) - electron-builder 26.0.12 -> 26.14.0 (exact-pinned; 26.15.2 within cooldown) - prettier 3.6.2 -> 3.8.3 (exact-pinned; 3.8.4 within cooldown) - prettier-plugin-sort-json 4.1.1 -> 4.2.0 - rimraf 6.0.1 -> 6.1.3 Clean up bun-migration remnants: remove the vestigial husky and lint-staged devDependencies and the dead "hooks" block (pre-commit is owned by .pre-commit-config.yaml), and add .bun-version (1.3.11) to match the CI oven-sh/setup-bun pin. https://claude.ai/code/session_0173cUF33ZhCBywudTqamivV
chore(deps): bump node devDependencies (7-day cooldown) and clean up bun-migration remnants
Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 6.0.3 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@df4cb1c...9c091bb) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
scripts/gen_superpowers_manifest.py and scripts/flake_pin.py are unchanged copies of main's files, but this is their first Pyre scan on develop, so code-scanning reported them as new alerts. Annotate the flagged module-level constants (Path, re.Pattern[str]) to satisfy Pyre's strict-mode missing-global-annotation check. Refs #496
feat: merge main into develop, retire Streamlit/Electron artifacts (D1)
The D1 merge (PR #497) intended to fully retire bun in favor of main's npm tooling, but docs/runbooks/commands.md, docs/standards/package-management.md, and docs/standards/README.md auto-merged to develop's old bun-based content instead of main's. Restore main's npm-based content in these 3 files; develop now matches main byte-for-byte except the 4 salvaged dependency bumps and the Pyre annotation fixes from PR #497. Refs #496
fix: restore npm-based docs left over from the bun-era develop branch
…9gzvkb feat: add AI-infrastructure template series (DGX Spark + ollama, zero-trust access) (#494)
Migrates both the root package.json and web/package.json from npm to bun as the package manager. Re-implements the design from the stale claude/npm-to-bun-migration-dnNwn branch (which forked from main before the Streamlit-to-Vercel rewrite) against the current tree, rather than rebasing that branch directly. - Replace package-lock.json / web/package-lock.json with bun.lock / web/bun.lock. - .github/actions/setup-node: install bun via oven-sh/setup-bun, cache keyed on bun.lock, bun install --frozen-lockfile. - reusable-test-and-build.yml: npm audit -> bun audit. - web-ci.yml: both jobs use oven-sh/setup-bun; npm ci/run/npx -> bun install/run/bunx. - .pre-commit-config.yaml: local prettier hooks use bunx. - flake.nix: add bun to sharedPackages, drop the npm-only package from the claude devShell (root and web both use bun now). - .github/dependabot.yml: do NOT rename the npm ecosystem to `bun`. #367 already established that `package-ecosystem: bun` is not a Dependabot-supported value and fails schema validation. Removed the JS ecosystem entry instead, with a note explaining why, until Dependabot supports bun natively. - scripts/apply_version.mjs: dropped the package-lock.json version sync path (dead code now that the file never exists; bun.lock has no per-package version field to keep in sync). Updated the corresponding test and .releaserc.json's release assets list. - docs (package-management.md, commands.md, runbooks, workspace file, README): updated npm references to bun. Verified: root `bun install` / `bun pm untrusted` (0 untrusted) / `bun audit --prod --audit-level=high` (clean) / pre-commit run (scoped to changed files, all green, 425 tests passed). web/ `bun install` / `bun pm untrusted` (0 untrusted) / `bun run build` / `bunx vitest run` (39 passed, 5 skipped; 1 pre-existing environment-only failure from sandboxed network blocking pyodide wheel vendoring, same as documented in PR #495, unrelated to this change). IMPORTANT — manual follow-up required before merge: web/ is deployed via Vercel with Install Command explicitly pinned to `npm ci` in the project dashboard. That dashboard setting is not managed in this repo and must be updated to `bun install --frozen-lockfile` (Build Command to `bun run build`) before this merges, or the Vercel build will break once package-lock.json is gone. See docs/runbooks/vercel-deploy.md for the updated reference commands. Refs #353
build: migrate JavaScript package management from npm to bun (#353)
`.github/rulesets/all-branches.json`(force-push禁止、上流tvna/claude-mdから そのまま同期)と`.github/rulesets/main.json`(PR必須・線形履歴・署名必須・ 必須ステータスチェック1件、command-ghostwriter用にローカルで新規作成)を 追加し、GitHub Repository Rulesets APIへplan/applyする簡略版ハーネス (scripts/rulesets_apply.py + .github/workflows/apply-rulesets.yml)を 上流tvna/claude-mdの簡略版として移植する。all-branches.jsonのみを sync-agent-instructions.ymlのsync-rulesetsジョブで自動追従させ、 main.jsonは(required_status_checksがリポジトリ固有のため)同期対象外とする。 PAT発行手順をdocs/runbooks/rulesets.mdに記録する(CLAUDE.md 4章の 秘密情報発行経路明記の要件に準拠)。 副次的に、.pre-commit-config.yamlのprettier-github-actions-yamlフックが entryに`./.github`ディレクトリを直書きしていたため、pre-commit自身が 渡すtypes: yamlフィルタを無視してprettierが`.github/`配下の.jsonファイルまで 再帰的に拾い、--parser=yamlで不正なトレイリングカンマ入りJSONへ書き換えて しまう既存バグを発見・修正した(entryから`./.github`を削除し、 pre-commitが渡すyamlファイルのみを対象にする)。 本コミットのみではmainは保護されない。実際に有効化するには、オーナーが RULESETS_PAT(Administration: Read and write, Metadata: Read-only、 tvna/command-ghostwriter限定のfine-grained PAT)を発行・登録し、 apply-rulesets.ymlをdry_run: falseで手動dispatchする必要がある。 Refs #503
RULESETS_PATをworkflow-level envから、実際に必要な"Guard RULESETS_PAT"と "Plan and apply rulesets"の2ステップのみのstep-level envへ移動する。 checkout・setup-pythonなど無関係なステップにAdministration: Read/writeの PATを晒さないため。 rulesets_apply.pyのfetch_live_rulesetsにincludes_parents=falseを追加し、 org-owned repoで同名のorg親rulesetが誤ってマッチしPUT先を誤ることを防ぐ (tvnaは個人アカウントのため現状は発火しないが、防御的に追加)。 いずれもPR #504へのCodexレビュー指摘(P2)。 Refs #503
CIのGuard workflow filesジョブでtyposツールが"mis-route"を "miss"/"mist"のtypoとして検出し失敗していた。コメントの表現を変更する。 Refs #503
Codexレビュー指摘(PR #504、peter-evans/create-pull-requestのソース コードで検証済み): sync-claude-md・sync-apm-skills・sync-rulesetsの 各ジョブはPRブランチを2回目以降更新する際に必ずforce-push相当の操作 (signed commitsの場合はGitHub APIのupdateRef force:true)を行うため、 all-branches.jsonのnon_fast_forwardルールを適用すると、既存PRが未 マージのまま次回スケジュール実行を迎えた際に週次sync PRの更新が 失敗する。 all-branches.jsonのexcludeにrefs/heads/chore/sync-*を追加する。この 除外は上流tvna/claude-mdには存在しないローカル追加のため、 sync-rulesetsジョブが上流ファイルをコピーした直後にPythonで決定的に 再付与するようにし(人間が気付いて手動で足し直す運用には頼らない)、 PR本文にも自己点検の一文を追加する。 Refs #503
Bumps the github-actions group with 5 updates: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.13.0` | `2.19.4` | | [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `7.0.0` | | [actions/github-script](https://github.com/actions/github-script) | `7.0.1` | `9.0.0` | | [madhead/semver-utils](https://github.com/madhead/semver-utils) | `4.3.0` | `5.0.0` | | [actions/setup-python](https://github.com/actions/setup-python) | `5.6.0` | `6.3.0` | Updates `step-security/harden-runner` from 2.13.0 to 2.19.4 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@v2.13.0...9af89fc) Updates `actions/checkout` from 4.2.2 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.2.2...9c091bb) Updates `actions/github-script` from 7.0.1 to 9.0.0 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@v7.0.1...v9) Updates `madhead/semver-utils` from 4.3.0 to 5.0.0 - [Release notes](https://github.com/madhead/semver-utils/releases) - [Commits](madhead/semver-utils@36d1e0e...4cf918a) Updates `actions/setup-python` from 5.6.0 to 6.3.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@a26af69...ece7cb0) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.19.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/github-script dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: madhead/semver-utils dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-python dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
…ithub-actions-136b7e9fb2 build(deps): bump the github-actions group with 5 updates
ci(rulesets): protect main via ruleset sync + local apply harness (#503)
Redo of the earlier attempt (PR #519, closed): that PR was built from main's copy of this file (2 jobs, already on App tokens from #511/#512) and incorrectly targeted main as its own PR base, when claude/* branches in this repo are supposed to target develop. develop's actual copy of this file had diverged further than expected: it carries a third job (sync-rulesets, from #503/#504) that main never received, and none of its three jobs had the App-token fix at all (still on GITHUB_TOKEN, same mergeable_state: blocked bug class as #510). This commit is built directly from develop's content and applies, to all three jobs (sync-claude-md, sync-apm-skills, sync-rulesets): - actions/create-github-app-token minting, replacing GITHUB_TOKEN - an explicit ref: develop on the initial checkout step (schedule / workflow_dispatch triggers otherwise default to checking out main, which would leave the diff/commit basis on the wrong branch even after retargeting the PR itself) - base: main -> base: develop on the peter-evans/create-pull-request step main keeps receiving these updates only via the existing version-gated develop -> main release-promotion job, per the owner's explicit decision. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Lmf3s99U3jTwMjFDEVUYdJ
…-97xtty ci: App-token + develop-target all 3 sync-agent-instructions jobs (#518)
- useGenerate: expose worker `ready` so the output pane can distinguish loading from ready. - Editor: show an "initializing" spinner + status while Pyodide bootstraps (only while genuinely loading; a bootstrap error still surfaces as an error), and disable copy/save until ready. - Editor: make the center splitter draggable via a pointer handler that reallocates the pane-width fraction, clamped to 20%-80%. - Editor: add user-select:none to the app bar, pane headers, and status bars so they are clickable but not drag-selectable. - EmptyState: stack the concept-diagram cards vertically and rotate the flow arrow when the viewport is too narrow for a single row. Refs #529, #441 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AnNqAtPC31wodDZmYiRgz4
…ready (#529) Address Codex review on #530: the output pane gates its loading state on `ready`, but between the worker's `ready` message and the first debounced generate result, `raw` is still null and shapeResult() returns an empty-but-"ok" value. In that window the pane rendered an empty result with copy/save enabled, letting the user copy/download empty output. Gate on `ready && raw !== null` so the initializing state (and disabled copy/save) persists until the first result or error actually arrives. A bootstrap error sets `raw`, so it still surfaces via the normal error path rather than spinning forever. Add a regression test that drives the mocked worker through mount -> ready -> first result and asserts the pane stays in the initializing/disabled state across the ready-but-no-result window. Refs #530 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AnNqAtPC31wodDZmYiRgz4
Address self-review findings on #530: - Splitter drag no longer leaks on unmount: the window pointer listeners and the global body cursor/user-select are torn down via a ref-held cleanup tied to component lifetime (useEffect), plus a pointercancel handler, so an Editor unmount mid-drag can't strand the whole app in a col-resize cursor with text globally unselectable. - Splitter drag no longer re-renders the whole editor tree per pointermove: the grid template is mutated imperatively via requestAnimationFrame during the drag and committed to state once on pointer-up. Columns are applied from a layout effect (not React inline style) so an unrelated re-render mid-drag can't clobber the in-progress value. - Init spinner respects prefers-reduced-motion: instead of merely slowing the rotation, it switches to a gentle opacity pulse (no rotation), consistent with the file's reduced-motion posture for every other animation. Refs #530 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AnNqAtPC31wodDZmYiRgz4
feat(web): editor UX polish for the 2-pane editor (#529)
…name, download rework, splitter clamp (#532) - Entrance animations for the empty screen, how-to modal, and settings modal (fade/scale-in; honors prefers-reduced-motion by snapping to the final visible state so a fade-in never leaves an element invisible). - Replace the empty-screen tagline "設定定義 × テンプレート → 再現可能なコマンド" with the value-forward "値を変えるだけで、コマンドも手順書も。". - App-bar filename is now an editable field and is the download filename base; the download-filename input is removed from the settings modal. - Download extension is derived from the output mode (手順書 → .md, Raw → .txt) instead of a settings radio; the save button moves to the pane footer, copy stays in the header. DownloadOptions drops fname/ext. - Clamp the splitter with per-side minimum widths so neither pane header clips (the left header is wider than the right); falls back to 50/50 when the window is too small to grant both floors. Item 3 (template sub-categories) is intentionally not included: no such implementation exists in git history (see #532), so it is a new feature pending an owner decision rather than a restoration. Refs #532, #529 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AnNqAtPC31wodDZmYiRgz4
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Implements item 3 as a new feature (no prior implementation existed in history — see #532). Adds a required `subCategory` field to Template and groups the library card grid into sub-category sections with headings + counts. Sub-categories follow each category's natural technical axis: network by vendor/product (Cisco, YAMAHA, firewalld), server by distro (Ubuntu / Debian), DNS by software (BIND), runbooks by target system (ネットワーク, プロキシ / Web), AI infra by product (NVIDIA DGX, step-ca / Caddy). Groups are ordered by category (so same-category sub-categories stay adjacent, incl. the "すべて" view) then by first appearance; the left category rail is unchanged. Refs #532 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AnNqAtPC31wodDZmYiRgz4
#532) - Splitter floors are now re-clamped on window resize, not only during a pointer drag: dragging wide then shrinking the window could otherwise drop a pane below its min width and clip its header (the exact case the floors exist to prevent). - The footer save-button label no longer misrepresents the saved file: it is built from the same sanitized base as the download and discloses the timestamp suffix as "(+日時)" (instead of a concrete time that would drift from the click-time value) when the timestamp toggle is on. - The document name is sanitized (path separators / reserved punctuation / leading dots stripped) before it becomes the <a download> filename, so a typed name like "report/v2" can't produce a broken, OS-dependent name. - The filename input gains a maxLength and the footer label truncates a long base, so a very long name can't overflow the footer. The input shows a "command" placeholder so an emptied field matches the download fallback. Adds component tests for the sanitize, empty-fallback, and timestamp-note behavior; the resize re-clamp is verified end-to-end in the browser. Refs #532 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AnNqAtPC31wodDZmYiRgz4
feat(web): editor UX enhancements round 2 (#532)
04c77f5 to
d6be6c3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated sync of
CLAUDE.mdfrom the master repositorytvna/claude-md(main).Source of truth is
tvna/claude-md. Review required; do not auto-merge.Refs #427, #467