Add open source infrastructure and dogfood CLAUDE.md#9
Open
jrenaldi79 wants to merge 2 commits intomainfrom
Open
Add open source infrastructure and dogfood CLAUDE.md#9jrenaldi79 wants to merge 2 commits intomainfrom
jrenaldi79 wants to merge 2 commits intomainfrom
Conversation
- CLAUDE.md: project-specific guidance following our own templates (architecture, commands, key modules, gotchas, docs map) - CONTRIBUTING.md: how to contribute, test, and submit PRs - CODE_OF_CONDUCT.md: Contributor Covenant v2.0 - SECURITY.md: vulnerability reporting policy, scope of security components - CHANGELOG.md: initial v1.0.0 release notes - .editorconfig: consistent formatting for contributors - .github/workflows/ci.yml: unit tests on Node 18/20/22, plugin manifest validation, secret scan, file size check - .github/ISSUE_TEMPLATE/: bug report and feature request templates - .github/PULL_REQUEST_TEMPLATE.md: PR checklist - .github/CODEOWNERS: default reviewer assignment https://claude.ai/code/session_01Hbxy31TkbujzukGFSxLcPw
Score: 17/36 criteria passing. Key gaps: no linter/formatter configured for the repo itself, no active git hooks, no .claude/settings.json or .claude/rules/ at root. The repo ships these as templates to users but doesn't install them for itself. https://claude.ai/code/session_01Hbxy31TkbujzukGFSxLcPw
📝 WalkthroughWalkthroughThis PR establishes foundational repository governance and developer infrastructure by introducing documentation files (CLAUDE.md, CONTRIBUTING.md, CODE_OF_CONDUCT.md, SECURITY.md, CHANGELOG.md), GitHub issue and pull request templates, a readiness assessment report, editor configuration, code ownership rules, and a GitHub Actions CI workflow that runs tests across Node versions and validates plugin manifests, secrets, and file-size constraints. Changes
Possibly Related PRs
Estimated Code Review Effort🎯 2 (Simple) | ⏱️ ~15 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.claude/readiness-report.md:
- Line 6: The document contains inconsistent totals ("total: 37" and "17 / 36");
choose one source of truth and make them match: update the "total: 37" entry or
the "17 / 36" score so both reflect the same total criteria count (e.g., change
"total: 37" to "total: 36" or update "17 / 36" to "17 / 37"), and ensure any
other occurrences of the total in the file are updated to the same value so the
report is consistent.
In @.github/workflows/ci.yml:
- Around line 42-43: The CI step currently runs the secret scanner with "node
skills/setup/scripts/lib/check-secrets.js --all || true", which masks failures;
update the workflow to remove "|| true" so the job fails on detected secrets and
ensure the step invokes the scanner with the --all flag as shown; additionally
verify and, if necessary, update the check-secrets.js implementation (the CLI
entrypoint and any parsing of process.argv for "--all") so that the --all mode
actually scans the entire repository (not just staged files) and exits with a
non-zero code when secrets are found.
- Around line 58-59: The line-count check miscounts files with a trailing
newline because it uses fs.readFileSync(full, 'utf8').split('\n').length; fix by
first storing the file text (e.g. const text = fs.readFileSync(full, 'utf8')),
then compute lines accounting for a trailing newline: const lines = text === ''
? 0 : (text.endsWith('\n') ? text.split('\n').length - 1 :
text.split('\n').length); keep the rest of the condition (lines > 300 &&
!full.includes(...)) unchanged so exact 300-line files with a trailing newline
are not overcounted.
In `@CLAUDE.md`:
- Line 37: Two fenced code blocks in CLAUDE.md are unlabeled causing
markdownlint MD040; update each triple-backtick fence (the snippets showing the
harness-engineering/... tree and the "User installs plugin" snippet) to include
a language label such as text (e.g., change ``` to ```text at the opening fence
for both code blocks) so they are explicitly labeled and pass markdownlint.
- Around line 80-87: The documented script paths in CLAUDE.md are inconsistent
with the repo layout: update each entry that currently lists `scripts/...`
(e.g., `scripts/init-project.js`, `scripts/install-enforcement.js`,
`scripts/generate-claude-md.js`, `scripts/lib/check-secrets.js`,
`scripts/lib/check-file-sizes.js`, `scripts/lib/check-test-colocation.js`,
`scripts/lib/generate-docs.js`, `scripts/lib/validate-docs.js`) to the correct
location under `skills/setup/scripts/...` (or move the actual files to match the
docs if that’s intended); ensure the table rows all use the same prefix so paths
in the CLAUDE.md architecture section match the referenced script names exactly.
In `@CODE_OF_CONDUCT.md`:
- Line 35: Replace the vague reporting instruction in CODE_OF_CONDUCT.md
("project maintainers at the email address listed in the repository") with a
concrete, stable contact such as a dedicated reporting email or a persistent
link (for example "security@yourproject.org" or "See SECURITY.md for reporting:
<repo>/SECURITY.md"); update the sentence that starts "Instances of abusive,
harassing, or otherwise unacceptable behavior may be reported..." to include
that explicit email or link and ensure the new contact is consistent with any
SECURITY.md or contributing policies.
In `@SECURITY.md`:
- Around line 7-8: Update the SECURITY.md section that currently says "**Do not
open a public issue.** Instead, email the maintainers directly (see the
repository contact information) with:" to include a concrete private security
contact (e.g., a dedicated security@ or security-responders alias, or a link to
an external vulnerability disclosure form) and optional PGP/GPG key for
encrypted reports; ensure the explicit address/alias or URL is added immediately
after that sentence and include brief instructions for what information to
provide and expected acknowledgment timeframe so reporters have a clear private
channel.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: f2228d2a-2365-4716-9904-a59fb0925916
📒 Files selected for processing (12)
.claude/readiness-report.md.editorconfig.github/CODEOWNERS.github/ISSUE_TEMPLATE/bug_report.md.github/ISSUE_TEMPLATE/feature_request.md.github/PULL_REQUEST_TEMPLATE.md.github/workflows/ci.ymlCHANGELOG.mdCLAUDE.mdCODE_OF_CONDUCT.mdCONTRIBUTING.mdSECURITY.md
| level: 3 | ||
| level_name: Enforced | ||
| score: 17 | ||
| total: 37 |
There was a problem hiding this comment.
Fix the inconsistent total criteria count.
Line [6] says total: 37, but Line [24] says 17 / 36. Keep one source of truth to avoid confusion in reporting.
Suggested doc fix
-**Score:** 17 / 36 criteria passing
+**Score:** 17 / 37 criteria passingAlso applies to: 24-24
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.claude/readiness-report.md at line 6, The document contains inconsistent
totals ("total: 37" and "17 / 36"); choose one source of truth and make them
match: update the "total: 37" entry or the "17 / 36" score so both reflect the
same total criteria count (e.g., change "total: 37" to "total: 36" or update "17
/ 36" to "17 / 37"), and ensure any other occurrences of the total in the file
are updated to the same value so the report is consistent.
Comment on lines
+42
to
+43
| - name: Check for secrets in repo | ||
| run: node skills/setup/scripts/lib/check-secrets.js --all || true |
There was a problem hiding this comment.
Secret scanning is non-enforcing and effectively ineffective in CI.
Line [43] masks failures with || true, and the current script invocation does not guarantee repository-wide scanning in CI. This creates a security blind spot.
Minimum workflow-side fix
- - name: Check for secrets in repo
- run: node skills/setup/scripts/lib/check-secrets.js --all || true
+ - name: Check for secrets in repo
+ run: node skills/setup/scripts/lib/check-secrets.js --allYou should also ensure skills/setup/scripts/lib/check-secrets.js truly implements --all semantics for CI (not only staged-file mode).
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| - name: Check for secrets in repo | |
| run: node skills/setup/scripts/lib/check-secrets.js --all || true | |
| - name: Check for secrets in repo | |
| run: node skills/setup/scripts/lib/check-secrets.js --all |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/ci.yml around lines 42 - 43, The CI step currently runs
the secret scanner with "node skills/setup/scripts/lib/check-secrets.js --all ||
true", which masks failures; update the workflow to remove "|| true" so the job
fails on detected secrets and ensure the step invokes the scanner with the --all
flag as shown; additionally verify and, if necessary, update the
check-secrets.js implementation (the CLI entrypoint and any parsing of
process.argv for "--all") so that the --all mode actually scans the entire
repository (not just staged files) and exits with a non-zero code when secrets
are found.
Comment on lines
+58
to
+59
| const lines = fs.readFileSync(full, 'utf8').split('\n').length; | ||
| if (lines > 300 && !full.includes('SKILL.md') && !full.includes('README.md') && !full.includes('global-claude.md')) { |
There was a problem hiding this comment.
Line-count gate has an off-by-one risk at the 300-line boundary.
Line [58] counts split('\n').length directly. Files ending with a trailing newline are overcounted by 1, so exact-limit files can fail incorrectly.
Suggested fix
- const lines = fs.readFileSync(full, 'utf8').split('\n').length;
- if (lines > 300 && !full.includes('SKILL.md') && !full.includes('README.md') && !full.includes('global-claude.md')) {
- console.error(full + ': ' + lines + ' lines (max 300)');
+ const content = fs.readFileSync(full, 'utf8');
+ const rawLines = content.split('\n').length;
+ const lines = content.endsWith('\n') ? rawLines - 1 : rawLines;
+ if (lines > 300 && !full.includes('SKILL.md') && !full.includes('README.md') && !full.includes('global-claude.md')) {
+ console.error(full + ': ' + lines + ' lines (max 300)');
violations++;
}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/ci.yml around lines 58 - 59, The line-count check
miscounts files with a trailing newline because it uses fs.readFileSync(full,
'utf8').split('\n').length; fix by first storing the file text (e.g. const text
= fs.readFileSync(full, 'utf8')), then compute lines accounting for a trailing
newline: const lines = text === '' ? 0 : (text.endsWith('\n') ?
text.split('\n').length - 1 : text.split('\n').length); keep the rest of the
condition (lines > 300 && !full.includes(...)) unchanged so exact 300-line files
with a trailing newline are not overcounted.
|
|
||
| ## Architecture | ||
|
|
||
| ``` |
There was a problem hiding this comment.
Add language labels to fenced code blocks (MD040).
Lines [37] and [59] start unlabeled fenced blocks. markdownlint flags these; add text (or an appropriate language).
Suggested doc fix
-```
+```text
harness-engineering/
...
-```
+```
-```
+```text
User installs plugin
...
-```
+```Also applies to: 59-59
🧰 Tools
🪛 markdownlint-cli2 (0.21.0)
[warning] 37-37: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@CLAUDE.md` at line 37, Two fenced code blocks in CLAUDE.md are unlabeled
causing markdownlint MD040; update each triple-backtick fence (the snippets
showing the harness-engineering/... tree and the "User installs plugin" snippet)
to include a language label such as text (e.g., change ``` to ```text at the
opening fence for both code blocks) so they are explicitly labeled and pass
markdownlint.
Comment on lines
+80
to
+87
| | `scripts/init-project.js` | Node/TS project scaffolding (package.json, tsconfig, directories) | | ||
| | `scripts/install-enforcement.js` | Copies enforcement scripts, hooks, configs into target project | | ||
| | `scripts/generate-claude-md.js` | Generates tailored CLAUDE.md from templates | | ||
| | `scripts/lib/check-secrets.js` | Pattern-matches API keys, tokens, private keys in staged files | | ||
| | `scripts/lib/check-file-sizes.js` | Rejects files over 300 lines | | ||
| | `scripts/lib/check-test-colocation.js` | Verifies source files have colocated test files | | ||
| | `scripts/lib/generate-docs.js` | Auto-regenerates CLAUDE.md sections between AUTO markers | | ||
| | `scripts/lib/validate-docs.js` | Detects drift between source code and CLAUDE.md content | |
There was a problem hiding this comment.
Key Modules paths are inconsistent with the documented repo structure.
Lines [80]-[87] reference scripts/..., but this file’s architecture section places these under skills/setup/scripts/.... Broken paths reduce doc reliability.
Suggested doc fix
-| `scripts/init-project.js` | Node/TS project scaffolding (package.json, tsconfig, directories) |
-| `scripts/install-enforcement.js` | Copies enforcement scripts, hooks, configs into target project |
-| `scripts/generate-claude-md.js` | Generates tailored CLAUDE.md from templates |
-| `scripts/lib/check-secrets.js` | Pattern-matches API keys, tokens, private keys in staged files |
-| `scripts/lib/check-file-sizes.js` | Rejects files over 300 lines |
-| `scripts/lib/check-test-colocation.js` | Verifies source files have colocated test files |
-| `scripts/lib/generate-docs.js` | Auto-regenerates CLAUDE.md sections between AUTO markers |
-| `scripts/lib/validate-docs.js` | Detects drift between source code and CLAUDE.md content |
+| `skills/setup/scripts/init-project.js` | Node/TS project scaffolding (package.json, tsconfig, directories) |
+| `skills/setup/scripts/install-enforcement.js` | Copies enforcement scripts, hooks, configs into target project |
+| `skills/setup/scripts/generate-claude-md.js` | Generates tailored CLAUDE.md from templates |
+| `skills/setup/scripts/lib/check-secrets.js` | Pattern-matches API keys, tokens, private keys in staged files |
+| `skills/setup/scripts/lib/check-file-sizes.js` | Rejects files over 300 lines |
+| `skills/setup/scripts/lib/check-test-colocation.js` | Verifies source files have colocated test files |
+| `skills/setup/scripts/lib/generate-docs.js` | Auto-regenerates CLAUDE.md sections between AUTO markers |
+| `skills/setup/scripts/lib/validate-docs.js` | Detects drift between source code and CLAUDE.md content |🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@CLAUDE.md` around lines 80 - 87, The documented script paths in CLAUDE.md are
inconsistent with the repo layout: update each entry that currently lists
`scripts/...` (e.g., `scripts/init-project.js`,
`scripts/install-enforcement.js`, `scripts/generate-claude-md.js`,
`scripts/lib/check-secrets.js`, `scripts/lib/check-file-sizes.js`,
`scripts/lib/check-test-colocation.js`, `scripts/lib/generate-docs.js`,
`scripts/lib/validate-docs.js`) to the correct location under
`skills/setup/scripts/...` (or move the actual files to match the docs if that’s
intended); ensure the table rows all use the same prefix so paths in the
CLAUDE.md architecture section match the referenced script names exactly.
|
|
||
| ## Enforcement | ||
|
|
||
| Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the project maintainers at the email address listed in the repository. All complaints will be reviewed and investigated promptly and fairly. |
There was a problem hiding this comment.
Provide an explicit reporting contact in the file.
At Line 35, the process depends on an email “listed in the repository,” but no direct contact is given here. Please include a concrete address or a stable link (e.g., SECURITY.md section) to avoid dead-end reporting paths.
Proposed clarification
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the project maintainers at the email address listed in the repository. All complaints will be reviewed and investigated promptly and fairly.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the project maintainers at security@example.com (or via the reporting process in SECURITY.md). All complaints will be reviewed and investigated promptly and fairly.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@CODE_OF_CONDUCT.md` at line 35, Replace the vague reporting instruction in
CODE_OF_CONDUCT.md ("project maintainers at the email address listed in the
repository") with a concrete, stable contact such as a dedicated reporting email
or a persistent link (for example "security@yourproject.org" or "See SECURITY.md
for reporting: <repo>/SECURITY.md"); update the sentence that starts "Instances
of abusive, harassing, or otherwise unacceptable behavior may be reported..." to
include that explicit email or link and ensure the new contact is consistent
with any SECURITY.md or contributing policies.
Comment on lines
+7
to
+8
| **Do not open a public issue.** Instead, email the maintainers directly (see the repository contact information) with: | ||
|
|
There was a problem hiding this comment.
Add an explicit private security contact.
Line [7] instructs reporters to email maintainers, but no concrete address/alias/link is provided. That can delay or prevent vulnerability disclosure.
Suggested doc fix
-**Do not open a public issue.** Instead, email the maintainers directly (see the repository contact information) with:
+**Do not open a public issue.** Instead, email **security@your-domain.tld** (or open a private GitHub Security Advisory) with:🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@SECURITY.md` around lines 7 - 8, Update the SECURITY.md section that
currently says "**Do not open a public issue.** Instead, email the maintainers
directly (see the repository contact information) with:" to include a concrete
private security contact (e.g., a dedicated security@ or security-responders
alias, or a link to an external vulnerability disclosure form) and optional
PGP/GPG key for encrypted reports; ensure the explicit address/alias or URL is
added immediately after that sentence and include brief instructions for what
information to provide and expected acknowledgment timeframe so reporters have a
clear private channel.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CLAUDE.mdfor this repo, dogfooding our own templates (architecture, commands, key modules, gotchas, docs map)CONTRIBUTING.md,CODE_OF_CONDUCT.md,SECURITY.md,CHANGELOG.md.github/infrastructure: CI workflow (Node 18/20/22), issue templates, PR template, CODEOWNERS.editorconfigfor consistent contributor formattingDetails
CLAUDE.md follows the project-claude.md template patterns:
CI workflow runs on PRs and pushes to main:
Test plan
https://claude.ai/code/session_01Hbxy31TkbujzukGFSxLcPw
Summary by CodeRabbit
Documentation
Chores