Formalise development workflow with enforced quality gates#3
Merged
Conversation
- CI (GitHub Actions): lint, full test suite, gitleaks secret scan on every PR and push to main - check.sh pre-commit gate: lint + gitleaks staged scan + tests in the test container (fails closed if gitleaks is missing) - bun test now enforces per-file coverage thresholds (95% lines, 90% functions); added tests for probeDuration, LogMessage debounce/edit failures, and handler error branches to bring every file above them - fix race in handlers.test.ts: clearPending was not awaited in beforeEach, so its unlink calls could steal queued mock implementations from the test body - restore the e2e gate in prod.sh - new lean CLAUDE.md documenting the workflow Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Scanning in CI is too late - the secret is already pushed. Server-side push protection rejects the push itself; the pre-commit gitleaks scan catches it even earlier, before it enters history at all. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- PreToolUse hook denies 'gh pr merge' when the PR's checks aren't green - permission ask rule makes ./prod.sh always require interactive approval - trim CLAUDE.md to conventions hooks can't enforce Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Found by /code-review: 'gh pr merge <branch>' previously fell through to checking the current branch's PR instead of the named one. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
e2e uses MockBotApi (faker token) with real yt-dlp, so it needs no secrets and can run anywhere. Partial runs can't meet whole-suite coverage thresholds, so e2e.sh uses bunfig.e2e.toml (no coverage). e2e.sh drops -it so it works without a TTY (git hooks). Also per owner feedback: /code-review findings get fixed directly, not posted as comments on our own PRs (CLAUDE.md updated). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Empirically verified in run 27304285133 - not flakiness but auth walls. e2e remains as the pre-push hook and the prod.sh deploy gate. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
CI: reddit/youtube hard-block GitHub datacenter IPs (verified in run 27304285133) - e2e stays as the pre-push hook and deploy gate. YouTube also rate-limits residential IPs when e2e runs more than a few times an hour, which a pre-push gate does; 571670e learned this once already. Instagram + both reddit URL forms still cover the pipeline. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Cloud IPs are blocked by the sites yt-dlp needs, so this project can't be developed from cloud sandboxes - drop the SSL-interception cert flags, the no-docker test fallback, and the CLAUDE.md mentions. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
pr-review-toolkit agents during development (recall, triaged by the authoring Claude); /code-review --fix as the pre-handoff precision gate. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Ruleset 17521822 requires a PR + green 'test' check on main, no bypass (admins included), so the gh-pr-merge PreToolUse hook is redundant and removed. CLAUDE.md: no more trivial-changes-to-main path; every change gets review-pr during development and /code-review --fix at handoff. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- scrub volatile yt-dlp output (format ids, sizes, bitrates) at snapshot time; mock file_id hashes a format-normalized name so cache snapshots don't drift either; shared FORMAT_ID_RE keeps the two in lockstep - mock rejects empty files like the real bot-api (catches truncated downloads that were previously invisible) - youtube runs in full e2e mode only (./e2e.sh full, used by the deploy gate); pre-push runs the reduced set. ./e2e.sh -u refreshes snapshots and implies full, since a reduced -u run would prune them - CLAUDE.md cut to the bare minimum Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Quality control for human and Claude contributors alike:
.github/workflows/ci.yml): lint + full test suite + gitleaks secret scan on every PR and push to maincheck.shvia simple-git-hooks): lint + gitleaks staged-scan + tests in the test container. Fails closed if gitleaks isn't installed.bun testfails if any file drops below 95% lines / 90% functions. Added tests (probeDuration, LogMessage debounce & edit-failure dedup, handler error branches) to bring every file above the bar first.clearPending()wasn't awaited in handlers.test.tsbeforeEach, racing the test body and stealing queued mock implementations.Verification
🤖 Generated with Claude Code