Conversation
fix: remove --branch=main from deploy workflow
* fix: remove --branch=main * fix: remove VitePress base (routing handled by Worker) * fix: restore VitePress base for proper asset routing * fix: add VitePress base '/docs/cora/' for asset routing * fix: restore docs/.vitepress/config.mts from develop * fix: remove VitePress base — routing via Worker with <base href> injection * fix: add CF Pages _redirects * fix: add VitePress base '/docs/cora/' to cora config * fix: remove base prefix from head assets (VitePress prepends base automatically) * fix: trim trailing whitespace in deploy workflow (#310)
…) (#317) - Add early non-JSON response guard in parse_scan_response: detect HTML error pages, rate-limit bodies, empty responses, and prose wrappers before attempting strict parse. Surface raw response prefix (first 512 bytes, whitespace-collapsed) in the error so users can diagnose truncation vs provider error vs prose. - Make per-batch parse failures non-fatal by default: skip the failing batch with a stderr warning and warn-level log (with file list), continue with remaining batches. --no-continue-on-batch-error restores old abort behavior. - Add --batch-files <N> flag (default 20) to cap files per LLM batch — lower it to work around provider token limits on large scans. - Truncated-JSON repair path now also includes raw response prefix. - Add 14 unit tests covering looks_like_json_array, preview_raw, and parse_scan_response non-JSON rejection. - Bump version 0.6.0 → 0.6.1 (patch: bug fix, no API breaking changes).
Previously `cora review` could exit 2 (EXIT_BLOCKED) even when the `--severity` filter removed all blocking findings and the SARIF output contained 0 error-level results. This blocked PR merges in CI when Cora Review was configured as a required status check. Root cause: `should_block` was computed by the engine using `config.hook.min_severity`, but the exit-code logic used the same `should_block` flag without re-checking against the **filtered** issue list (after CLI `--severity` filtering). So a Major finding with `--severity critical` would still cause exit 2 even though the filtered output shown to the user had no findings. Fix: - Recompute `should_block` on `filtered_response` after severity filtering, so exit code matches what the user sees (both in the single-chunk and `--auto-chunk` paths). - Extract exit-code logic into `compute_exit_code()` pure helper with 8 unit tests (gate pass/fail, CI mode, hook block vs non-block). Bump 0.6.0 -> 0.6.1 (patch).
Prebuilt macOS binaries are not Apple-notarized. When a user downloads the `aarch64-apple-darwin` tarball directly (via `gh release download`, browser, or curl), macOS attaches `com.apple.quarantine` and `com.apple.provenance` extended attributes and then kills the binary on first launch with signal 9 — producing `Killed: 9` and **no error output**. This makes the failure look like a cora crash rather than a distribution gap. Changes - install.sh: after `chmod +x`, on macOS run best-effort `xattr -dr com.apple.quarantine` and `xattr -dr com.apple.provenance` on the installed binary. Non-fatal on failure (binary may already be clean). - README: add a prominent <details> block under the Install section explaining the `Killed: 9` symptom, the manual `xattr -dr` workaround for direct-download users, and the `cargo` / Homebrew alternatives. - CHANGELOG entry under `## [0.6.1] -> Fixed — Install (macOS)`. Note: the real fix is Apple notarization (codesign + notarytool), which requires an Apple Developer ID certificate. This PR is the minimum-cost stopgap documented in the issue. A follow-up can add notarization to `.github/workflows/release.yml` once credentials are available. Bump 0.6.0 -> 0.6.1 (patch).
The install docs listed several methods without warning that having more\nthan one on $PATH silently resolves to whichever appears first. On a real\ndeveloper machine three copies were present simultaneously\n(~/.local/bin, ~/.cargo/bin, ~/.bun/bin) and the stale npm v0.2.4 was\nbeing invoked, causing confusing behavior.\n\nChanges\n- README: pick one recommended method, list all supported channels in a\n table, and add a `which -a cora && cora --version` check snippet with\n guidance for pruning stale copies.\n- Cross-link issue #314 for background.\n- CHANGELOG entry under ## [0.6.1] -> Changed — Docs.\n\nAlso closes #315 as a duplicate of #314 (same title/body/author, opened\n3 seconds apart).\n\nBump 0.6.0 -> 0.6.1 (patch; docs only).
- docs/changelog.md: sync from root CHANGELOG.md (was stuck at v0.2.0 —
now includes v0.4.x, v0.5.x, v0.6.0, and v0.6.1 with all compare links).
- docs/installation.md:
- Update pinned-version example to v0.6.1.
- Add 'Check for stale copies on PATH' subsection (which -a cora)
cross-linking #314.
- Add 'macOS: Killed: 9 on launch?' subsection documenting the
Gatekeeper quarantine workaround (xattr -dr) from #313.
- Replace placeholder 'cora 0.x.x' in verify snippet with 'cora 0.6.1'.
- docs/cli-reference.md: document new `cora scan` flags
--batch-files <N> and --no-continue-on-batch-error (#316).
- docs/usage.md: add tip about lowering --batch-files for large scans
and the non-fatal batch behavior (#316).
- README.md: update pinned-version example to v0.6.1.
No code changes. Part of the v0.6.1 patch release bundle.
5 tasks
ajianaz
added a commit
that referenced
this pull request
Jun 21, 2026
Three bugs caused tokens_used to always be None or partial: 1. parse_review_response/parse_scan_response hardcoded Ok((..., None)), discarding the Usage object from the API response. Fixed by threading Option<&Usage> through both functions and converting via usage_to_token_usage(). 2. chat_completion_stream only collected delta.content, ignoring the usage field in the final SSE chunk. Now sends stream_options.include_usage and parses usage from top-level or choices[0].delta.usage. 3. scan multi-batch total_tokens was overwritten per batch instead of accumulated. Fixed with proper accumulation of input/output/cost. Also: - Extracted magic numbers (20, 60_000) to named constants - Usage struct now accepts camelCase aliases (promptTokens etc) - chat_completion returns (String, Option<Usage>) tuple - Added 4 regression tests for token usage threading - Bumped version 0.6.1 → 0.6.2 All 590 tests pass (568 unit + 16 CLI + 6 config).
ajianaz
added a commit
that referenced
this pull request
Jun 21, 2026
… (#323) Three bugs caused tokens_used to always be None or partial: 1. parse_review_response/parse_scan_response hardcoded Ok((..., None)), discarding the Usage object from the API response. Fixed by threading Option<&Usage> through both functions and converting via usage_to_token_usage(). 2. chat_completion_stream only collected delta.content, ignoring the usage field in the final SSE chunk. Now sends stream_options.include_usage and parses usage from top-level or choices[0].delta.usage. 3. scan multi-batch total_tokens was overwritten per batch instead of accumulated. Fixed with proper accumulation of input/output/cost. Also: - Extracted magic numbers (20, 60_000) to named constants - Usage struct now accepts camelCase aliases (promptTokens etc) - chat_completion returns (String, Option<Usage>) tuple - Added 4 regression tests for token usage threading - Bumped version 0.6.1 → 0.6.2 All 590 tests pass (568 unit + 16 CLI + 6 config).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release v0.6.1 (patch)
Brings all v0.6.1 changes from
developtomainfor tagging. Five squash commits:447398b22374c4dc4a667d026db6f1027baDuplicate issue #315 closed as not-planned.
What's new in v0.6.1
Fixed — Scan (#316)
cora scanno longer aborts on non-JSON LLM responses. Detect provider error pages / rate-limit bodies / empty responses / prose wrappers early and surface the raw response prefix (first 512 bytes) in the error.--no-continue-on-batch-errorrestores the old abort behavior.--batch-files <N>flag (default 20) to work around provider token limits.Fixed — Review (#312)
cora reviewno longer exits 2 when--severityfiltering removes all blocking findings.should_blockis now recomputed against the filtered issue list so the exit code matches the SARIF/pretty output the user sees. Applies to both single-chunk and--auto-chunkpaths.Fixed — Install / macOS (#313)
install.shnow stripscom.apple.quarantine/com.apple.provenancexattrs on the installed binary so it is no longer killed withKilled: 9on first launch. README +docs/installation.mddocument the symptom and manual workaround for direct downloads.Changed — Docs (#314, #321)
which -a coracheck snippet.docs/changelog.mdsynced from root (was stuck at v0.2.0).docs/cli-reference.mddocuments the two newcora scanflags.docs/usage.mdadds a tip for lowering--batch-fileson large scans.Test plan
cargo test: 564 + 16 + 6 tests pass ondevelop.cargo clippy -- -D warningsclean.cargo fmt --checkclean.Post-merge
After this merges to
main, tagv0.6.1on the merge commit (or main HEAD) will trigger.github/workflows/release.ymlto:CHANGELOG.md.