ci(workflows): hygiene pass -- concurrency + SHA pin

[KooshaPari]

User description

Sweep 7 .github/workflows/*.yml:

• Add 'concurrency: cancel-in-progress: true' to ci.yml
• Pin actions/checkout, trufflehog/actions/setup to immutable SHAs
  in workflows that reference them
• Add 'permissions: contents: read' blocks where missing

The ahead docs commit 45d32be (user-story traceability map) is
preserved at HEAD~1; this is a separate, additive hygiene pass on
the workflow files.

Co-Authored-By: Claude Opus 4.7 noreply@anthropic.com

Note

Low Risk
Changes are CI configuration and documentation only; Trufflehog still scans with read-only repo access and the built-in token.

Overview
GitHub Actions hygiene across seven workflows: each now declares concurrency with cancel-in-progress: true so a new run on the same ref cancels stale jobs (CI, doc-links, FR coverage, quality gate, scorecard, trufflehog, alert-sync).

Permissions are tightened or made explicit: alert-sync-issues moves scoped permissions to the workflow top (issues write, security-events/actions read); scorecard drops read-all for explicit read/write scopes; trufflehog adds contents: read at workflow level.

Trufflehog pins actions/checkout and trufflehog/actions/setup to immutable SHAs, sets persist-credentials: false, and uses github.token instead of secrets.GITHUB_TOKEN.

Documentation: adds docs/reports/user-story-map.md, a user-story → FR traceability table with code/test/journey/gate checkboxes and coverage gaps (FR-005–007 called out as lowest).

^{Reviewed by Cursor Bugbot for commit 001a75e. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

CodeAnt-AI Description

Tighten workflow runs and add a user-story traceability map

What Changed

• New workflow runs on the same branch now cancel earlier queued CI, coverage, doc-link, scorecard, alert-sync, and security-scan jobs.
• Security scanning now uses pinned action versions, read-only repository access, and the built-in token for safer and more predictable scans.
• Workflow permissions are made explicit where they were missing, including the alert-sync and scorecard jobs.
• Added a traceability report that maps user stories to functional requirements, code, tests, and gaps in coverage.

Impact

✅ Fewer stale CI runs
✅ Safer security scans
✅ Clearer workflow access rules
✅ Easier coverage review for functional requirements

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request standardizes GitHub Actions workflow concurrency controls across six workflows to prevent duplicate concurrent runs, applies selective permission scoping and action pinning updates for security and reliability, and introduces a new user-story-to-functional-requirement traceability document mapping seven FRs to source, test, and manifest artifacts with coverage analysis and completion roadmap.

Changes

GitHub Actions Workflow Concurrency and Security Updates

Layer / File(s)	Summary
Standard concurrency configuration .github/workflows/ci.yml, .github/workflows/doc-links.yml, .github/workflows/fr-coverage.yml, .github/workflows/quality-gate.yml	Four workflows add concurrency blocks grouped by ${{ github.workflow }}-${{ github.ref }} with cancel-in-progress: true to supersede in-flight runs.
Permissions, concurrency, and action pinning updates .github/workflows/alert-sync-issues.yml, .github/workflows/scorecard.yml, .github/workflows/trufflehog.yml	Alert-sync-issues reorders configuration, moving permissions to the front and adding concurrency. Scorecard replaces permissions: read-all with scoped permissions (contents: read, security-events: write, id-token: write, actions: read) and adds concurrency. Trufflehog adds explicit permissions, concurrency, pins actions/checkout and trufflehog/actions/setup to specific commits, and changes GH_TOKEN from ${{ secrets.GITHUB_TOKEN }} to ${{ github.token }}.

Functional Requirement Traceability Documentation

Layer / File(s)

Summary

FR traceability map and coverage analysis docs/reports/user-story-map.md

New document defines user-story traceability with legend, maps seven FRs (FR-001 through FR-007) to source files, test files, journey manifests, and CI gates with artifact status checkboxes, coverage summary metrics, identifies three lowest-coverage stories (FR-005, FR-006, FR-007), and outlines next actions for missing FR descriptions, journey manifests, Playwright e2e coverage, and FR Coverage CI integration.

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main changes: adding concurrency blocks and pinning SHAs across GitHub Actions workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description accurately describes the changeset, covering workflow hygiene improvements (concurrency, permission scoping, action pinning) and documentation additions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/workflow-hygiene-20260606

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch ci/workflow-hygiene-20260606

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	hast@​1.0.0
	lodash-es@​4.17.23
	hast-util-to-mdast@​10.1.2
	frimousse@​0.3.0
	highlight.js@​11.11.1
	helmet@​7.2.0
	uuid@​9.0.1 ⏵ 13.0.0				+40
	framer-motion@​12.23.12

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		High CVE: lodash vulnerable to Code Injection via _.template imports key names in npm `lodash-es` CVE: GHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via _.template imports key names (HIGH) Affected versions: >= 4.0.0 < 4.18.0 Patched version: 4.18.0 From: rust/Planify/apps/admin/package.json → npm/lodash-es@4.17.23 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash-es@4.17.23. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters CVE: GHSA-37ch-88jc-xwx2 path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters (HIGH) Affected versions: < 0.1.13 Patched version: 0.1.13 From: ? → npm/express@4.22.0 → npm/path-to-regexp@0.1.12 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/path-to-regexp@0.1.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client CVE: GHSA-f269-vfmq-vjvj Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client (HIGH) Affected versions: >= 6.0.0 < 6.24.0; >= 7.0.0 < 7.24.0 Patched version: 7.24.0 From: ? → npm/@effect/platform-node@0.104.0 → npm/undici@7.18.2 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@7.18.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation CVE: GHSA-v9p9-hfj2-hcw8 Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation (HIGH) Affected versions: < 6.24.0; >= 7.0.0 < 7.24.0 Patched version: 7.24.0 From: ? → npm/@effect/platform-node@0.104.0 → npm/undici@7.18.2 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@7.18.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression CVE: GHSA-vrm6-8vpv-qv8q Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression (HIGH) Affected versions: < 6.24.0; >= 7.0.0 < 7.24.0 Patched version: 7.24.0 From: ? → npm/@effect/platform-node@0.104.0 → npm/undici@7.18.2 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@7.18.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm glob Reason: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me From: ? → npm/@storybook/react-vite@9.1.10 → npm/glob@11.1.0 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/glob@11.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm hast with reason "Renamed to rehype" Reason: Renamed to rehype From: rust/Planify/packages/utils/package.json → npm/hast@1.0.0 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hast@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[gemini-code-assist]

Code Review

This pull request introduces a new traceability map in docs/traceability/user-story-map.md to track user stories, functional requirements, source files, tests, and journey manifests. The review feedback highlights two main points: first, there is a discrepancy between the PR's stated purpose (updating GitHub workflows) and the actual file changes, which only include the documentation file; second, there is an inconsistency in the document's introductory note regarding the test coverage of FR-006 and FR-007, which actually have partial tests listed in the table.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

The pull request title and description indicate that this PR performs a sweep of .github/workflows/*.yml files to add concurrency configurations, pin actions to immutable SHAs, and add permissions. However, the only file modified in this pull request is docs/traceability/user-story-map.md. The workflow files themselves are not present in the changes.

[gemini-code-assist]

The note states that FR-005, FR-006, and FR-007 have "no test or journey artifact yet." However, the traceability table and the summary below show that FR-006 and FR-007 do have partial/tangential test files associated with them (test_authentication.py and test_api_token.py respectively).\n\nTo maintain accuracy and consistency within the document, consider updating this note to reflect that they have limited/partial test coverage rather than no tests at all.

Suggested change

- **Note:** All seven FRs are stubs (`Status: Stub`, `Test Status: Not yet written`). Source / test / journey columns are populated where the existing code/test layout already maps to the intent, and `[ ]` boxes mark which rows still need a journey manifest, code, test, and gate wired up. The FR-005 / FR-006 / FR-007 rows are the lowest-coverage rows because they have no test or journey artifact yet.

- **Note:** All seven FRs are stubs (Status: Stub, Test Status: Not yet written). Source / test / journey columns are populated where the existing code/test layout already maps to the intent, and [ ] boxes mark which rows still need a journey manifest, code, test, and gate wired up. The FR-005 / FR-006 / FR-007 rows are the lowest-coverage rows because they have limited or no test coverage and no journey artifacts yet.

[codeant-ai]

Suggestion: Move this new documentation file into one of the allowed documentation subdirectories (for example docs/reference/ or docs/reports/) so it complies with the required docs hierarchy. [custom_rule]

Severity Level: Minor ⚠️

Why it matters? 🤔

The repository guidance in AGENTS.md says docs should be kept under docs/guides/, docs/reports/, docs/research/, docs/reference/, or docs/checklists/. This file was added under docs/traceability/, which is not one of the allowed documentation subdirectories, so the suggestion identifies a real rule violation.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** docs/traceability/user-story-map.md
**Line:** 1:1
**Comment:**
	*Custom Rule: Move this new documentation file into one of the allowed documentation subdirectories (for example `docs/reference/` or `docs/reports/`) so it complies with the required docs hierarchy.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Trufflehog token not interpolated
  • Removed the leading backslash from GH_TOKEN so GitHub Actions correctly evaluates ${{ github.token }} instead of passing a literal string.

Or push these changes by commenting:

@cursor push e14e4b7eab

Preview (e14e4b7eab)

diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
--- a/.github/workflows/trufflehog.yml
+++ b/.github/workflows/trufflehog.yml
@@ -21,4 +21,4 @@
       - uses: trufflehog/actions/setup@3fc0c2a225a9d249aea9b97a1c40c40a5ff7e0c0
       - run: trufflehog github --only-verified --no-update
         env:
-          GH_TOKEN: \${{ github.token }}
+          GH_TOKEN: ${{ github.token }}

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit 77d60b2. Configure here.}

[codeant-ai]

🔴 Architect Review — CRITICAL

The GH_TOKEN environment variable is set to the escaped literal \${{ github.token }}, so the expression is never evaluated and Trufflehog receives a non-functional token string instead of an actual authentication token.

Suggestion: Remove the escaping so the value is GH_TOKEN: ${{ github.token }}, then verify the Trufflehog GitHub scan step succeeds for both push and pull_request events using the evaluated token.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/trufflehog.yml
**Line:** 22:24
**Comment:**
	*CRITICAL: The GH_TOKEN environment variable is set to the escaped literal `\${{ github.token }}`, so the expression is never evaluated and Trufflehog receives a non-functional token string instead of an actual authentication token.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/alert-sync-issues.yml:
- Around line 2-3: The caller workflow's minimal permissions (permissions:
contents: read) prevent the reusable workflow from performing actions that
require broader scopes; update the permissions block in
.github/workflows/alert-sync-issues.yml to include at least issues: write,
security-events: read and actions: read (keeping contents: read) so the reusable
workflow can create/update/comment on issues and read security events and
workflow runs; locate the top-level permissions stanza and expand it accordingly
so the called workflow at commit 438e2e7 can run without being capped by the
caller.

In @.github/workflows/scorecard.yml:
- Around line 8-16: The workflow file `.github/workflows/scorecard.yml` contains
duplicate top-level `permissions` entries - one with `contents: read` and
another with `read-all`. YAML will override the first entry with the second,
which undermines the least-privilege principle and creates ambiguity. Remove one
of the duplicate `permissions` entries to keep only a single top-level
permissions declaration. Determine which permission level is appropriate for
your workflow requirements and delete the redundant entry to avoid confusion and
ensure consistent permission handling.

In @.github/workflows/trufflehog.yml:
- Line 24: Remove the escaping so the GH_TOKEN environment var is interpolated
(change GH_TOKEN: \${{ github.token }} to GH_TOKEN: ${{ github.token }}), and
update the checkout step to set persist-credentials: false so checkout
credentials aren't left available to subsequent steps; modify the workflow's
checkout action configuration (the step that uses actions/checkout) to include
persist-credentials: false and ensure GH_TOKEN uses the unescaped ${{
github.token }} expression.
- Around line 18-20: The checkout step currently uses actions/checkout@v4
without disabling token persistence; update the checkout action configuration
(the step using "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10") to
set with: persist-credentials: false so the GITHUB_TOKEN/SSH credentials are not
written to the repo git config and cannot be used by subsequent steps.

In `@docs/traceability/user-story-map.md`:
- Around line 1-8: The traceability map document "User Story -> Journey -> FR
Traceability Map" (user-story-map.md) is placed under docs/traceability which
violates the docs layout policy; move the file to the appropriate top-level docs
folder (preferably docs/reference/user-story-map.md if it is a reference
artifact, or docs/reports/traceability-map.md if it is a status/coverage
report), update any relative links inside the document (e.g., the
FUNCTIONAL_REQUIREMENTS.md and journey-traceability.md links) and update any
references to the old path in README/TOC or other docs so the new location
follows the docs/guides|reports|research|reference|checklists structure.
- Around line 19-27: The traceability table references several missing manifest
and source files (see FR-001..FR-004 entries); update the repo and the table so
the referenced files exist and the table is accurate: add or commit the missing
journey manifest files docs/journeys/manifests/planify-workspace-create.json,
planify-cycle-run.json, multistack-bootstrap.json, planify-dep-graph.json and
ensure the source dependency file rust/Planify/apps/api/plane/requirements.txt
is added or the FR-004 row updated to point to the correct existing file; then
update the user-story-map.md rows for FR-001..FR-004 to reference the correct
filenames (or remove the manifest/source references) so entries for Planify
workspace (FR-001), cycle run (FR-002), multistack bootstrap (FR-003) and
dependency graph (FR-004) accurately reflect committed files.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e751e9f4-ddf5-49e8-8352-9e4ef15f3158

📥 Commits

Reviewing files that changed from the base of the PR and between ef2219b and 77d60b2.

📒 Files selected for processing (8)

• .github/workflows/alert-sync-issues.yml
• .github/workflows/ci.yml
• .github/workflows/doc-links.yml
• .github/workflows/fr-coverage.yml
• .github/workflows/quality-gate.yml
• .github/workflows/scorecard.yml
• .github/workflows/trufflehog.yml
• docs/traceability/user-story-map.md

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Cursor Bugbot
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Analyze (javascript-typescript)

🧰 Additional context used

📓 Path-based instructions (4)

docs/**

📄 CodeRabbit inference engine (CLAUDE.md)

Run documentation validation using vale docs/ to check documentation quality

Files:

• docs/traceability/user-story-map.md

**/*.{js,ts,tsx,jsx,py,rs,go,java,kt,scala,cs,rb,php,c,cpp,h,hpp,m,swift,json,yaml,yml,toml,xml,html,css,scss,less,md}

📄 CodeRabbit inference engine (AGENTS.md)

All code MUST pass linting and formatting checks before commit; run linters and formatters locally, fix errors without suppressing warnings, and commit all formatting changes before feature changes

Files:

• docs/traceability/user-story-map.md

**/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Use Vale for Markdown validation where available

Files:

• docs/traceability/user-story-map.md

docs/**/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Keep documentation organized per global structure in docs/guides/, docs/reports/, docs/research/, docs/reference/, docs/checklists/

Files:

• docs/traceability/user-story-map.md

🪛 LanguageTool

docs/traceability/user-story-map.md

[uncategorized] ~21-~21: The official name of this software platform is spelled with a capital “H”.
Context: ...nify-workspace-create.json(planned) |.github/workflows/fr-coverage.yml` | [ ] | [x] ...

(GITHUB)

---

[uncategorized] ~22-~22: The official name of this software platform is spelled with a capital “H”.
Context: ...sts/planify-cycle-run.json(planned) |.github/workflows/quality-gate.yml` | [ ] | [x]...

(GITHUB)

---

[uncategorized] ~23-~23: The official name of this software platform is spelled with a capital “H”.
Context: .../multistack-bootstrap.json(planned) |.github/workflows/ci.yml` | [ ] | [x] | [x] | [...

(GITHUB)

---

[uncategorized] ~24-~24: The official name of this software platform is spelled with a capital “H”.
Context: ...sts/planify-dep-graph.json(planned) |.github/workflows/ci.yml` | [ ] | [x] | [x] | [...

(GITHUB)

---

[uncategorized] ~52-~52: The official name of this software platform is spelled with a capital “H”.
Context: ...6/007 are the biggest gaps). - [ ] Wire .github/workflows/fr-coverage.yml to a real FR...

(GITHUB)

🪛 zizmor (1.25.2)

.github/workflows/trufflehog.yml

[warning] 18-20: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[info] 15-15: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

🔇 Additional comments (8)

docs/traceability/user-story-map.md (4)

9-16: LGTM!

---

29-40: LGTM!

---

41-46: LGTM!

---

1-52: Install Vale and run vale docs/ for Markdown validation (docs/traceability/user-story-map.md)

Vale isn’t available in the current environment (vale command not found), so the documentation validation step couldn’t run. Install Vale and execute vale docs/ (or at minimum vale docs/traceability/user-story-map.md) to satisfy the Markdown validation guidelines.

.github/workflows/ci.yml (1)

16-18: LGTM!

.github/workflows/doc-links.yml (1)

6-8: LGTM!

.github/workflows/fr-coverage.yml (1)

6-8: LGTM!

.github/workflows/quality-gate.yml (1)

6-8: LGTM!

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify file paths referenced in the traceability table exist

echo "=== Checking source files ==="
fd -t f "base.py" rust/Planify/apps/api/plane/app/views/workspace/
fd -t f "base.py" rust/Planify/apps/api/plane/app/views/project/
fd -t f "core.ts" rust/Planify/apps/web/app/routes/
fd -t f "issue_automation_task.py" rust/Planify/apps/api/plane/bgtasks/
fd -t f "email_notification_task.py" rust/Planify/apps/api/plane/bgtasks/
fd -t f "pnpm-workspace.yaml" rust/Planify/
fd -t f "turbo.json" rust/Planify/
fd -t f "Dockerfile.api" rust/Planify/apps/api/
fd -t f ".env.example" rust/Planify/
fd -t f "doppler.yaml" rust/Planify/
fd -t f ".env.example" go/KaskMan/

echo "=== Checking test files ==="
fd -t f "test_workspace_app.py" rust/Planify/apps/api/plane/tests/contract/app/
fd -t f "test_project_app.py" rust/Planify/apps/api/plane/tests/contract/app/
fd -t f "smoke_test.go" tests/
fd -t f "test_cycles.py" rust/Planify/apps/api/plane/tests/contract/api/
fd -t f "remove-directives.spec.ts" rust/Planify/packages/codemods/tests/
fd -t f "test_authentication.py" rust/Planify/apps/api/plane/tests/contract/app/

echo "=== Checking workflow files ==="
fd -t f "fr-coverage.yml" .github/workflows/
fd -t f "quality-gate.yml" .github/workflows/
fd -t f "ci.yml" .github/workflows/

echo "=== Checking referenced docs ==="
fd -t f "FUNCTIONAL_REQUIREMENTS.md"
fd -t f "journey-traceability.md" docs/operations/

echo "=== Checking planned journey manifest directory ==="
ls -la docs/journeys/manifests/ 2>/dev/null || echo "Directory docs/journeys/manifests/ does not exist yet"

Repository: KooshaPari/PhenoProject

Length of output: 1313

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify all referenced paths from docs/traceability/user-story-map.md

missing=0

check_file() {
  local p="$1"
  if [ -e "$p" ]; then
    echo "OK: $p"
  else
    echo "MISSING: $p"
    missing=1
  fi
}

check_dir() {
  local p="$1"
  if [ -d "$p" ]; then
    echo "OK(dir): $p"
  else
    echo "MISSING(dir): $p"
    missing=1
  fi
}

echo "=== Verifying exact paths from traceability table ==="

# FR-001
check_file "rust/Planify/apps/api/plane/app/views/workspace/base.py"
check_file "rust/Planify/apps/api/plane/app/views/project/base.py"
check_file "rust/Planify/apps/web/app/routes/core.ts"
check_file "rust/Planify/apps/api/plane/tests/contract/app/test_workspace_app.py"
check_file "rust/Planify/apps/api/plane/tests/contract/app/test_project_app.py"
check_file "tests/smoke_test.go"
check_file "docs/journeys/manifests/planify-workspace-create.json"
check_file ".github/workflows/fr-coverage.yml"

# FR-002
check_dir  "rust/Planify/apps/api/plane/app/views/cycle"
check_file "rust/Planify/apps/api/plane/bgtasks/issue_automation_task.py"
check_file "rust/Planify/apps/api/plane/bgtasks/email_notification_task.py"
check_file "rust/Planify/apps/api/plane/tests/contract/api/test_cycles.py"
check_file "docs/journeys/manifests/planify-cycle-run.json"
check_file ".github/workflows/quality-gate.yml"

# FR-003
check_dir  "rust/Planify"
check_dir  "go/KaskMan"
check_file "rust/Planify/packages/codemods/tests/remove-directives.spec.ts"
check_file "rust/Planify/packages/codemods/tests/function-declaration.spec.ts"
check_file "go/KaskMan/src/rnd-module/RnDModule.test.js"
check_file "docs/journeys/manifests/multistack-bootstrap.json"
check_file ".github/workflows/ci.yml"

# FR-004
check_file "rust/Planify/pnpm-workspace.yaml"
check_file "rust/Planify/turbo.json"
check_file "rust/Planify/package.json"
check_file "rust/Planify/apps/api/plane/requirements.txt"
check_file "rust/Planify/apps/live/tests/services/pdf-export/effect-utils.test.ts"
check_file "rust/Planify/apps/live/tests/lib/pdf/pdf-rendering.test.ts"
check_file "docs/journeys/manifests/planify-dep-graph.json"
check_file ".github/workflows/ci.yml"

# FR-005
check_file "rust/Planify/apps/api/Dockerfile.api"
check_file "rust/Planify/apps/web/Dockerfile.web"
check_file "rust/Planify/apps/space/Dockerfile.space"
check_dir  "rust/Planify/deployments/"
# none for test/journey/workflows other than gate wiring in table (no path)

# FR-006
check_file "rust/Planify/.env.example"
check_file "rust/Planify/doppler.yaml"
check_dir  "rust/Planify/apps/api/plane/settings/"
check_file "go/KaskMan/.env.example"
check_file "go/KaskMan/dashboard-memory.json"
check_file "rust/Planify/apps/api/plane/tests/contract/app/test_authentication.py"

# none for journey manifest / workflows in table (paths are "none")

# FR-007
check_dir  "rust/Planify/apps/api/plane/app/views/webhook"
check_file "rust/Planify/apps/api/plane/bgtasks/export_task.py"
check_dir  "rust/Planify/apps/api/plane/license"
check_file "go/KaskMan/src/interfaces/api/server.js"
check_file "rust/Planify/apps/api/plane/tests/contract/app/test_api_token.py"

echo "=== Verifying docs/journeys/manifests/ contents ==="
ls -la docs/journeys/manifests/ || true

if [ "${missing:-0}" -ne 0 ]; then
  echo "RESULT: Some referenced paths are missing."
  exit 1
fi

echo "RESULT: All referenced paths exist."

Repository: KooshaPari/PhenoProject

Length of output: 2520

---

Fix missing referenced files in traceability table (docs/traceability/user-story-map.md:19-27)

• Missing journey manifests:
  • docs/journeys/manifests/planify-workspace-create.json (FR-001)
  • docs/journeys/manifests/planify-cycle-run.json (FR-002)
  • docs/journeys/manifests/multistack-bootstrap.json (FR-003)
  • docs/journeys/manifests/planify-dep-graph.json (FR-004)
• Missing source dependency file:
  • rust/Planify/apps/api/plane/requirements.txt (FR-004)

🧰 Tools

🪛 LanguageTool

[uncategorized] ~21-~21: The official name of this software platform is spelled with a capital “H”.
Context: ...nify-workspace-create.json(planned) |.github/workflows/fr-coverage.yml` | [ ] | [x] ...

(GITHUB)

---

[uncategorized] ~22-~22: The official name of this software platform is spelled with a capital “H”.
Context: ...sts/planify-cycle-run.json(planned) |.github/workflows/quality-gate.yml` | [ ] | [x]...

(GITHUB)

---

[uncategorized] ~23-~23: The official name of this software platform is spelled with a capital “H”.
Context: .../multistack-bootstrap.json(planned) |.github/workflows/ci.yml` | [ ] | [x] | [x] | [...

(GITHUB)

---

[uncategorized] ~24-~24: The official name of this software platform is spelled with a capital “H”.
Context: ...sts/planify-dep-graph.json(planned) |.github/workflows/ci.yml` | [ ] | [x] | [x] | [...

(GITHUB)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/traceability/user-story-map.md` around lines 19 - 27, The traceability
table references several missing manifest and source files (see FR-001..FR-004
entries); update the repo and the table so the referenced files exist and the
table is accurate: add or commit the missing journey manifest files
docs/journeys/manifests/planify-workspace-create.json, planify-cycle-run.json,
multistack-bootstrap.json, planify-dep-graph.json and ensure the source
dependency file rust/Planify/apps/api/plane/requirements.txt is added or the
FR-004 row updated to point to the correct existing file; then update the
user-story-map.md rows for FR-001..FR-004 to reference the correct filenames (or
remove the manifest/source references) so entries for Planify workspace
(FR-001), cycle run (FR-002), multistack bootstrap (FR-003) and dependency graph
(FR-004) accurately reflect committed files.

[codeant-ai]

CodeAnt AI is running Incremental review

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI Incremental review completed.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Stale review - issues addressed

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/scorecard.yml:
- Around line 10-12: The workflow-level permissions block is granting elevated
scopes (security-events, id-token, actions) globally; remove or narrow the
top-level permissions block so those elevated scopes are only defined under
jobs.analysis.permissions (leave jobs.analysis.permissions as-is) to ensure
least-privileged defaults for other jobs—specifically delete the top-level
"permissions" entries (security-events: write, id-token: write, actions: read)
and rely on the existing jobs.analysis.permissions stanza to provide those
scopes only to the analysis job.

In `@docs/reports/user-story-map.md`:
- Line 5: Fix the broken "Journey standard" markdown link in
docs/reports/user-story-map.md by changing the link target from
../../operations/journey-traceability.md to
../operations/journey-traceability.md so it correctly points one directory up;
update the markdown link text `[../../operations/journey-traceability.md]`
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 58fd22c6-b878-4627-9156-f6453c35e3ef

📥 Commits

Reviewing files that changed from the base of the PR and between 77d60b2 and 001a75e.

📒 Files selected for processing (4)

• .github/workflows/alert-sync-issues.yml
• .github/workflows/scorecard.yml
• .github/workflows/trufflehog.yml
• docs/reports/user-story-map.md

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Analyze (javascript-typescript)

🧰 Additional context used

📓 Path-based instructions (4)

docs/**

📄 CodeRabbit inference engine (CLAUDE.md)

Run documentation validation using vale docs/ to check documentation quality

Files:

• docs/reports/user-story-map.md

**/*.{js,ts,tsx,jsx,py,rs,go,java,kt,scala,cs,rb,php,c,cpp,h,hpp,m,swift,json,yaml,yml,toml,xml,html,css,scss,less,md}

📄 CodeRabbit inference engine (AGENTS.md)

All code MUST pass linting and formatting checks before commit; run linters and formatters locally, fix errors without suppressing warnings, and commit all formatting changes before feature changes

Files:

• docs/reports/user-story-map.md

**/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Use Vale for Markdown validation where available

Files:

• docs/reports/user-story-map.md

docs/**/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Keep documentation organized per global structure in docs/guides/, docs/reports/, docs/research/, docs/reference/, docs/checklists/

Files:

• docs/reports/user-story-map.md

🪛 zizmor (1.25.2)

.github/workflows/scorecard.yml

[warning] 10-10: overly broad permissions (excessive-permissions): security-events: write is overly broad at the workflow level

(excessive-permissions)

---

[error] 11-11: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level

(excessive-permissions)

---

[warning] 10-10: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

.github/workflows/alert-sync-issues.yml

[error] 4-4: overly broad permissions (excessive-permissions): issues: write is overly broad at the workflow level

(excessive-permissions)

---

[warning] 4-4: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

🔇 Additional comments (3)

docs/reports/user-story-map.md (1)

1-53: Please attach doc validation output for this change set.

I don’t see evidence in this PR context that Markdown/doc validation was run for docs/**. Please run and share output for vale docs/ (and your configured markdown lint/format checks) to confirm guideline compliance.
As per coding guidelines, “Use Vale for Markdown validation where available” and “Run documentation validation using vale docs/ to check documentation quality.”

Source: Coding guidelines

.github/workflows/alert-sync-issues.yml (1)

4-6: LGTM!

.github/workflows/trufflehog.yml (1)

21-21: LGTM!

Also applies to: 25-25

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/scorecard.yml"

echo "== Top-level permissions =="
awk 'NR>=1&&NR<=20{printf "%4d %s\n", NR, $0}' "$FILE" | sed -n '/^ *8 /,/^ *13 /p'

echo
echo "== Job-level permissions =="
awk 'NR>=20&&NR<=35{printf "%4d %s\n", NR, $0}' "$FILE" | sed -n '/permissions:/,/^ *30 /p'

Repository: KooshaPari/PhenoProject

Length of output: 400

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/scorecard.yml"

echo "== File (with line numbers, first 200 lines) =="
nl -ba "$FILE" | sed -n '1,200p'

echo
echo "== Occurrences of 'permissions:' =="
rg -n "^[[:space:]]*permissions:" "$FILE" || true

echo
echo "== Occurrences of 'jobs:' =="
rg -n "^[[:space:]]*jobs:" "$FILE" || true

echo
echo "== Job keys under jobs: (approx) =="
awk '
  $0 ~ /^[[:space:]]{2}jobs:/ {injobs=1; next}
  injobs && $0 ~ /^[[:space:]]{4}[A-Za-z0-9_-]+:/ {print NR ":" $0}
  $0 !~ /^[[:space:]]/ {if(injobs) injobs=0}
' "$FILE" || true

Repository: KooshaPari/PhenoProject

Length of output: 176

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/scorecard.yml"

echo "== File (with line numbers, first 200 lines) =="
cat -n "$FILE" | sed -n '1,200p'

echo
echo "== Occurrences of 'permissions:' =="
rg -n "^[[:space:]]*permissions:" "$FILE" || true

echo
echo "== Occurrences of 'jobs:' =="
rg -n "^[[:space:]]*jobs:" "$FILE" || true

Repository: KooshaPari/PhenoProject

Length of output: 1637

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/scorecard.yml"
echo "== wc -l =="
wc -l "$FILE"

echo
echo "== tail -n 80 =="
tail -n 80 "$FILE"

Repository: KooshaPari/PhenoProject

Length of output: 1200

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/scorecard.yml"
echo "== wc -l =="
wc -l "$FILE"

echo
echo "== tail -n 80 =="
tail -n 80 "$FILE"

Repository: KooshaPari/PhenoProject

Length of output: 1200

---

Keep elevated token scopes job-scoped only.
Top-level workflow permissions grants security-events: write, id-token: write, and actions: read, even though jobs.analysis.permissions already defines them—removing the workflow-level scopes keeps defaults least-privileged for any future jobs.

Suggested fix

 permissions:
   contents: read
-  security-events: write
-  id-token: write
-  actions: read

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 10-10: overly broad permissions (excessive-permissions): security-events: write is overly broad at the workflow level

(excessive-permissions)

---

[error] 11-11: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level

(excessive-permissions)

---

[warning] 10-10: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/scorecard.yml around lines 10 - 12, The workflow-level
permissions block is granting elevated scopes (security-events, id-token,
actions) globally; remove or narrow the top-level permissions block so those
elevated scopes are only defined under jobs.analysis.permissions (leave
jobs.analysis.permissions as-is) to ensure least-privileged defaults for other
jobs—specifically delete the top-level "permissions" entries (security-events:
write, id-token: write, actions: read) and rely on the existing
jobs.analysis.permissions stanza to provide those scopes only to the analysis
job.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix broken relative link for journey standard.

The link target is off by one directory. From docs/reports/user-story-map.md, it should point to ../operations/journey-traceability.md, not ../../operations/....

Proposed patch

-- **Journey standard:** [`../../operations/journey-traceability.md`](../../operations/journey-traceability.md)
+- **Journey standard:** [`../operations/journey-traceability.md`](../operations/journey-traceability.md)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- **Journey standard:** [`../../operations/journey-traceability.md`](../../operations/journey-traceability.md)
	- **Journey standard:** [`../operations/journey-traceability.md`](../operations/journey-traceability.md)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reports/user-story-map.md` at line 5, Fix the broken "Journey standard"
markdown link in docs/reports/user-story-map.md by changing the link target from
../../operations/journey-traceability.md to
../operations/journey-traceability.md so it correctly points one directory up;
update the markdown link text `[../../operations/journey-traceability.md]`
accordingly.