Skip to content

Formalise development workflow with enforced quality gates#3

Merged
miridius merged 12 commits into
mainfrom
formalise-workflow
Jun 10, 2026
Merged

Formalise development workflow with enforced quality gates#3
miridius merged 12 commits into
mainfrom
formalise-workflow

Conversation

@miridius

Copy link
Copy Markdown
Owner

What

Quality control for human and Claude contributors alike:

  • CI (.github/workflows/ci.yml): lint + full test suite + gitleaks secret scan on every PR and push to main
  • Pre-commit gate (check.sh via simple-git-hooks): lint + gitleaks staged-scan + tests in the test container. Fails closed if gitleaks isn't installed.
  • Coverage thresholds (bunfig.toml): bun test fails if any file drops below 95% lines / 90% functions. Added tests (probeDuration, LogMessage debounce & edit-failure dedup, handler error branches) to bring every file above the bar first.
  • Test fix: clearPending() wasn't awaited in handlers.test.ts beforeEach, racing the test body and stealing queued mock implementations.
  • prod.sh: e2e gate restored.
  • CLAUDE.md: lean rewrite documenting the workflow (branch+PR for features, tests with every change, never deploy unprompted).

Verification

  • Negative-tested the coverage gate (0.999 threshold → exit 1) and gitleaks (staged fake API key → blocked)
  • Full history scanned with gitleaks: clean (39 commits)
  • Suite: 144 pass / 0 fail in the test container

🤖 Generated with Claude Code

miridius and others added 12 commits June 10, 2026 21:54
- CI (GitHub Actions): lint, full test suite, gitleaks secret scan on
  every PR and push to main
- check.sh pre-commit gate: lint + gitleaks staged scan + tests in the
  test container (fails closed if gitleaks is missing)
- bun test now enforces per-file coverage thresholds (95% lines, 90%
  functions); added tests for probeDuration, LogMessage debounce/edit
  failures, and handler error branches to bring every file above them
- fix race in handlers.test.ts: clearPending was not awaited in
  beforeEach, so its unlink calls could steal queued mock
  implementations from the test body
- restore the e2e gate in prod.sh
- new lean CLAUDE.md documenting the workflow

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Scanning in CI is too late - the secret is already pushed. Server-side
push protection rejects the push itself; the pre-commit gitleaks scan
catches it even earlier, before it enters history at all.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- PreToolUse hook denies 'gh pr merge' when the PR's checks aren't green
- permission ask rule makes ./prod.sh always require interactive approval
- trim CLAUDE.md to conventions hooks can't enforce

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Found by /code-review: 'gh pr merge <branch>' previously fell through to
checking the current branch's PR instead of the named one.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
e2e uses MockBotApi (faker token) with real yt-dlp, so it needs no
secrets and can run anywhere. Partial runs can't meet whole-suite
coverage thresholds, so e2e.sh uses bunfig.e2e.toml (no coverage).
e2e.sh drops -it so it works without a TTY (git hooks).

Also per owner feedback: /code-review findings get fixed directly,
not posted as comments on our own PRs (CLAUDE.md updated).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Empirically verified in run 27304285133 - not flakiness but auth walls.
e2e remains as the pre-push hook and the prod.sh deploy gate.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
CI: reddit/youtube hard-block GitHub datacenter IPs (verified in run
27304285133) - e2e stays as the pre-push hook and deploy gate.
YouTube also rate-limits residential IPs when e2e runs more than a few
times an hour, which a pre-push gate does; 571670e learned this once
already. Instagram + both reddit URL forms still cover the pipeline.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Cloud IPs are blocked by the sites yt-dlp needs, so this project can't
be developed from cloud sandboxes - drop the SSL-interception cert
flags, the no-docker test fallback, and the CLAUDE.md mentions.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
pr-review-toolkit agents during development (recall, triaged by the
authoring Claude); /code-review --fix as the pre-handoff precision gate.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Ruleset 17521822 requires a PR + green 'test' check on main, no bypass
(admins included), so the gh-pr-merge PreToolUse hook is redundant and
removed. CLAUDE.md: no more trivial-changes-to-main path; every change
gets review-pr during development and /code-review --fix at handoff.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- scrub volatile yt-dlp output (format ids, sizes, bitrates) at snapshot
  time; mock file_id hashes a format-normalized name so cache snapshots
  don't drift either; shared FORMAT_ID_RE keeps the two in lockstep
- mock rejects empty files like the real bot-api (catches truncated
  downloads that were previously invisible)
- youtube runs in full e2e mode only (./e2e.sh full, used by the deploy
  gate); pre-push runs the reduced set. ./e2e.sh -u refreshes snapshots
  and implies full, since a reduced -u run would prune them
- CLAUDE.md cut to the bare minimum

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@miridius miridius merged commit 5b23886 into main Jun 10, 2026
1 check passed
@miridius miridius deleted the formalise-workflow branch June 10, 2026 22:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant