feat: v1 finalize Track D — dogfood polish (6 ACs)#75
Merged
Conversation
Run Semgrep with `p/auto` + `p/owasp-top-ten` in the canonical `semgrep/semgrep` container on push/PR to main and weekly Mondays. Upload SARIF as `category: semgrep` via codeql-action/upload-sarif@v4 with `if: always()` so findings reach Code Scanning even when the scan exits non-zero. Refs spec 006 §Track D AC-D-1 (.erpaval gitignored).
Move the OSV vulnerability scan out of the embedded ci.yml job into a dedicated osv.yml workflow with weekly cron and the same SARIF + exit-code-gating shape as the prior embedded job. Bump the binary pin v2.3.5 → v2.3.8 (released 2026-05-08, bug fixes only — no breaking changes; URL pattern unchanged). Delete the embedded osv: job from ci.yml in the same change so the SARIF upload runs exactly once per commit. Refs spec 006 §Track D AC-D-2.
Run codehub against itself using the local workspace build (not the npm-published CLI). Triggers on push/PR to main and weekly Wednesdays. Use pnpm exec node packages/cli/dist/index.js because pnpm link --global was removed in pnpm 11.x; this invocation is forward-compatible. Upload .codehub/scan.sarif as category opencodehub-self via codeql-action/ upload-sarif@v4. Optional license-tier gate opens an issue on BLOCK (non-blocking) per packages/cli/src/commands/ci-templates/github-weekly.yml. Refs spec 006 §Track D AC-D-3.
Inline the code-pack build + gh release upload --clobber inside the release-please workflow, gated on steps.release.outputs.release_created. Inline (rather than a separate workflow listening on release: published) because events triggered by the default GITHUB_TOKEN do not fire downstream workflow runs (GitHub Actions safety rule); a separate release-published workflow would never run automatically. The pack invocation is `code-pack . --budget 100000 --tokenizer openai:o200k_base@tiktoken-0.8.0 --out-dir /tmp/pack` so the resulting tarball is byte-identical given the same release SHA + tokenizer pin. Refs spec 006 §Track D AC-D-3 and the asset-attach pattern from the release-please-action v5 README. Note: sbom.yml has the same latent release: published bug; flagged for follow-on PR rather than expanded scope here.
Promote the 22-line scaffold to a fuller shape: top-level min_version,
assert_lefthook_installed, glob_matcher (doublestar — gobwas default
does not treat ** recursively), output blocks, and a pnpm template.
Per-job changes:
- biome / banned-strings / commitlint / typecheck / test gain fail_text.
- pre-commit gains priority on biome (1) and banned-strings (2).
- pre-commit gains a new pnpm-lock-sync job that fires only when
pnpm-lock.yaml or package.json or pnpm-workspace.yaml is staged.
- pre-push typecheck + test gain skip: [merge, rebase] and a diff-scoped
files: glob.
- pre-push gains a new verdict job running
pnpm exec codehub verdict --base origin/main --head HEAD --exit-code
so a policy-block verdict aborts the push.
banned-strings is now glob-scoped to source / doc / config files instead
of running on the whole repo.
Refs spec 006 §Track D AC-D-5.
Five new tasks:
- pack:determinism wraps scripts/pack-determinism-audit.sh and is
appended to check:full deps so the byte-identity gate runs as part
of the full local CI.
- och:self-{analyze,scan,verdict,pack} dogfood the codehub CLI on
this repo via pnpm exec node packages/cli/dist/index.js — pnpm link
--global was removed in pnpm 11.x so this invocation is forward-
compatible.
The audit script SKIPs gracefully on dev boxes without an existing
.codehub/duck.db, so wiring it into check:full does not break
green-tree CI.
Refs spec 006 §Track D AC-D-6.
The codehub verdict CLI does not accept --exit-code; it sets process.exitCode by default based on tier (block returns non-zero, auto_merge returns 0). The pre-push verdict hook caught this on first push attempt — adjust lefthook.yml + mise.toml + och-self-scan.yml to match the real CLI surface. Bonus: the dogfood path proved its worth on the first run by catching a CLI-spec mismatch before it hit CI.
…dev boxes Guard the verdict run on a present .codehub/graph.duckdb (or graph.lbug) so the hook prints a SKIP message and exits 0 when the dev box hasn't run 'codehub analyze' yet, rather than hard-blocking the push. Matches the SKIP behaviour of scripts/pack-determinism-audit.sh. This keeps the spec D1-E-4 contract intact for indexed checkouts (CI + dev boxes that have analyzed) while removing the foot-gun for new clones.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
… dogfood pre-push hook Two compound-extracted lessons from the v1-finalize Track D session: 1. release-published events from default GITHUB_TOKEN do not fire downstream workflows — inline asset-attach in release-please.yml gated on steps.release.outputs.release_created, OR pass a PAT to release-please-action. Existing sbom.yml has the same latent bug. 2. Dogfood pre-push hooks catch CLI spec drift on first push. Pattern the SKIP-with-message shape from pack-determinism-audit.sh for any gate that depends on a derived artifact (index, build output, cache).
Closed
theagenticguy
added a commit
that referenced
this pull request
May 10, 2026
## Summary
Track D — leg 4/4 of v1.0 finalize. CI / lefthook / mise dogfood polish
per `.erpaval/specs/006-v1-finalize/spec.md§Track D`.
- **AC-D-1** `feat(ci): add standalone Semgrep workflow` (`9b36bf4`) —
`semgrep/semgrep` container, `p/auto + p/owasp-top-ten`, SARIF upload as
`category: semgrep`.
- **AC-D-2** `feat(ci): split OSV-Scanner into standalone workflow`
(`22253da`) — extract from embedded `ci.yml` job into `osv.yml`. Bumped
pin v2.3.5 → v2.3.8 (released 2026-05-08, fixes only).
- **AC-D-3** `feat(ci): add self-scan dogfood workflow` (`0e43d06`) —
`och-self-scan.yml` runs `codehub` on itself via `pnpm exec node
packages/cli/dist/index.js` (no `pnpm link --global` — removed in pnpm
11.x).
- **AC-D-4** `feat(ci): attach codehub code-pack as a release asset`
(`1ab82a6`) — **inline** in `release-please.yml` gated on
`steps.release.outputs.release_created`; a separate `release: published`
workflow would not fire under default `GITHUB_TOKEN` (research finding).
Latent same-bug in `sbom.yml` flagged for follow-on.
- **AC-D-5** `chore(repo): polish lefthook config to claude-sql parity`
(`4cf07a8`) — `min_version`, `assert_lefthook_installed`, `glob_matcher:
doublestar`, `output:` blocks, `templates: {pnpm}`, per-job
`fail_text`/`priority`/`skip`/`files:` diff-scoping. NEW pre-commit
`pnpm-lock-sync` job. NEW pre-push `verdict` job with graceful-degrade
guard for un-indexed checkouts.
- **AC-D-6** `chore(repo): add och:self-* dogfood mise tasks +
pack:determinism` (`3894ca9`) — `pack:determinism` wired into
`check:full` deps; 4 dogfood tasks (analyze/scan/verdict/pack).
- **fix(ci)** `drop --exit-code from codehub verdict invocations`
(`55dc684`) — pre-push hook on first run caught a CLI-spec mismatch;
verdict already exits with non-zero on `block` by default, no flag
needed.
- **fix(ci)** `make pre-push verdict hook degrade gracefully on
un-indexed dev boxes` (`044ef43`) — guard on presence of
`.codehub/graph.duckdb` or `graph.lbug`, mirroring
`pack-determinism-audit.sh` SKIP shape.
Spec coordinate sweep: zero `AC-*` / `M-*` / `W-*` / `CL-*` leakage in
source per
`.erpaval/solutions/best-practices/no-spec-coordinate-leakage-into-source.md`.
## Validation
- `mise run check` exit 0 (lint + typecheck + test 235/235 cli + 17
packages green + banned-strings).
- `mise run pack:determinism` SKIP-clean (no `.codehub/duck.db` on dev —
graceful, expected).
- `mise run check:full --dry-run` confirms `pack:determinism` wired into
the DAG.
- `bash scripts/check-banned-strings.sh` PASS — every commit gated by
lefthook pre-commit hook.
- All 6 YAML files parse via `yaml.safe_load`; `mise.toml` parses via
`tomli.load`.
- Per-commit lefthook gates fired green (banned-strings + commitlint +
on push: typecheck + test + verdict).
## API freshness — research-grounded 2026-05-09
`./.erpaval/sessions/session-85faf1/research-track-d.md` cites every API
decision against the upstream source: codeql-action@v4, checkout@v6,
upload-artifact@v7, mise-action@v4, release-please-action@v5,
semgrep/semgrep, osv-scanner v2.3.8, lefthook v2.1.6 schema, mise.toml
task syntax, pnpm 11.x removal of `pnpm link --global`.
## Test plan
- [ ] Confirm CI passes on the PR (lint + typecheck + test on Node 22 +
24, sarif-validate, banned-strings, licenses, osv).
- [ ] Verify the new `semgrep.yml` runs (dispatch on push to PR) and
uploads SARIF to Code Scanning under `category: semgrep`.
- [ ] Verify the new `osv.yml` runs and uploads SARIF under `category:
osv-scanner`; embedded `ci.yml` `osv:` job is gone.
- [ ] Verify `och-self-scan.yml` workflow_dispatches successfully on
this branch (manual trigger from Actions tab).
- [ ] Smoke `mise run pack:determinism` after running `codehub analyze`
on a clean checkout to confirm byte-identity.
- [ ] (Future PR) Migrate `sbom.yml` from `release: [published]` →
inline in `release-please.yml` per the same finding that drove AC-D-4.
## Adjacent debt flagged for follow-on PRs
- `sbom.yml` has the same `release: [published]` + default
`GITHUB_TOKEN` latent bug as the prior AC-D-4 design. One-line workflow
change to inline; out of scope here.
- `lefthook.yml` `core.hooksPath` hint surfaces every commit on this dev
box; cosmetic — local clone has `.git/hooks` set explicitly.
## Rollback
Each AC commit touches disjoint files (different `.yml` workflows /
`lefthook.yml` / `mise.toml`). Any AC can be reverted independently with
`git revert <sha>` without disturbing the others.
Merged
theagenticguy
added a commit
that referenced
this pull request
May 12, 2026
🤖 Automated release via release-please --- <details><summary>analysis: 0.1.1</summary> ## [0.1.1](analysis-v0.1.0...analysis-v0.1.1) (2026-05-12) ### Features * initial public release of opencodehub v0.1.1 ([3f23006](3f23006)) * M7 LadybugDB default + IGraphStore abstraction hardening (Track A) ([#71](#71)) ([0175113](0175113)) ### Documentation * **repo:** pre-publish npm readiness — READMEs, GOVERNANCE, CODEOWNERS, package metadata ([dd10f72](dd10f72)) ### Refactoring * consolidate repo-local dir references on META_DIR_NAME ([ce4b63d](ce4b63d)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/core-types bumped to 0.2.0 * @opencodehub/sarif bumped to 0.1.1 * @opencodehub/storage bumped to 0.1.1 </details> <details><summary>cli: 0.2.0</summary> ## [0.2.0](cli-v0.1.0...cli-v0.2.0) (2026-05-12) ### ⚠ BREAKING CHANGES * replace LSP oracle with SCIP indexers (TS/Py/Go/Rust/Java) ([#32](#32)) ### Features * artifact factory + codehub init + CI UX fixes ([#38](#38)) ([d6ffafa](d6ffafa)) * **cli:** add --granularity flag to analyze for hierarchical embeddings ([defa9b6](defa9b6)) * **cli:** add --strict-detectors flag + ts-morph optional dep ([329f5c3](329f5c3)) * **cli:** add exact-name resolver and disambiguation flags to context ([7f279a9](7f279a9)) * **cli:** flip query hybrid-by-default with --bm25-only + --rerank-top-k ([3e924b5](3e924b5)) * detect-secrets as 20th scanner (Track B) ([#72](#72)) ([8fbdd61](8fbdd61)) * **embedder:** replace Arctic Embed XS with gte-modernbert-base ([#31](#31)) ([1214071](1214071)) * **ingestion:** WASM fallback via web-tree-sitter + --wasm-only flag ([cecb401](cecb401)) * initial public release of opencodehub v0.1.1 ([3f23006](3f23006)) * M7 LadybugDB default + IGraphStore abstraction hardening (Track A) ([#71](#71)) ([0175113](0175113)) * **mcp,cli:** join symbol summaries into query results (P04 surface) ([3d73b65](3d73b65)) * replace LSP oracle with SCIP indexers (TS/Py/Go/Rust/Java) ([#32](#32)) ([1cceb24](1cceb24)) * **scanners:** persist partialFingerprint, baselineState, suppressedJson ([fb4585d](fb4585d)) * **search:** add filter-aware zoom retrieval across hierarchical tiers ([5ab80c4](5ab80c4)) * v1 finalize Track C — debt sweep (7 ACs) ([#73](#73)) ([06d2bb1](06d2bb1)) ### Bug Fixes * **cli:** accurate doctor native-binding + int8 weights checks ([fb569f9](fb569f9)) * **storage:** wire @ladybugdb/core binding, fix lbug open() guards, upgrade pnpm v10→v11 ([#93](#93)) ([78d6a85](78d6a85)) ### Performance * **embeddings:** cross-node batching + worker pool ([#33](#33)) ([acb59d0](acb59d0)) ### Documentation * **repo:** pre-publish npm readiness — READMEs, GOVERNANCE, CODEOWNERS, package metadata ([dd10f72](dd10f72)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.1.1 * @opencodehub/core-types bumped to 0.2.0 * @opencodehub/embedder bumped to 0.1.1 * @opencodehub/ingestion bumped to 0.2.0 * @opencodehub/mcp bumped to 0.2.0 * @opencodehub/sarif bumped to 0.1.1 * @opencodehub/scanners bumped to 0.1.1 * @opencodehub/search bumped to 0.1.1 * @opencodehub/storage bumped to 0.1.1 </details> <details><summary>core-types: 0.2.0</summary> ## [0.2.0](core-types-v0.1.0...core-types-v0.2.0) (2026-05-12) ### ⚠ BREAKING CHANGES * replace LSP oracle with SCIP indexers (TS/Py/Go/Rust/Java) ([#32](#32)) ### Features * **core-types:** scaffold v1.1 node-shape extensions for planned packets ([e17a4b5](e17a4b5)) * initial public release of opencodehub v0.1.1 ([3f23006](3f23006)) * M7 LadybugDB default + IGraphStore abstraction hardening (Track A) ([#71](#71)) ([0175113](0175113)) * replace LSP oracle with SCIP indexers (TS/Py/Go/Rust/Java) ([#32](#32)) ([1cceb24](1cceb24)) * **storage:** populate reserved complexity, coverage, deadness columns ([c81e4c3](c81e4c3)) * v1 finalize Track C — debt sweep (7 ACs) ([#73](#73)) ([06d2bb1](06d2bb1)) ### Documentation * **repo:** pre-publish npm readiness — READMEs, GOVERNANCE, CODEOWNERS, package metadata ([dd10f72](dd10f72)) ### Refactoring * **core-types:** centralize LanguageId in core-types ([4c33fc7](4c33fc7)) </details> <details><summary>embedder: 0.1.1</summary> ## [0.1.1](embedder-v0.1.0...embedder-v0.1.1) (2026-05-12) ### Features * detect-secrets as 20th scanner (Track B) ([#72](#72)) ([8fbdd61](8fbdd61)) * **embedder:** add SageMaker backend for remote embeddings ([9b5c53d](9b5c53d)) * **embedder:** replace Arctic Embed XS with gte-modernbert-base ([#31](#31)) ([1214071](1214071)) * initial public release of opencodehub v0.1.1 ([3f23006](3f23006)) * v1 finalize Track C — debt sweep (7 ACs) ([#73](#73)) ([06d2bb1](06d2bb1)) ### Documentation * **repo:** pre-publish npm readiness — READMEs, GOVERNANCE, CODEOWNERS, package metadata ([dd10f72](dd10f72)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/core-types bumped to 0.2.0 </details> <details><summary>ingestion: 0.2.0</summary> ## [0.2.0](ingestion-v0.1.0...ingestion-v0.2.0) (2026-05-12) ### ⚠ BREAKING CHANGES * replace LSP oracle with SCIP indexers (TS/Py/Go/Rust/Java) ([#32](#32)) ### Features * **cli:** add --strict-detectors flag + ts-morph optional dep ([329f5c3](329f5c3)) * **embedder:** add SageMaker backend for remote embeddings ([9b5c53d](9b5c53d)) * **embedder:** replace Arctic Embed XS with gte-modernbert-base ([#31](#31)) ([1214071](1214071)) * **ingestion:** [@doc](https://github.com/doc) captures + description field populated ([d63dfa6](d63dfa6)) * **ingestion:** add receiver resolver + detector precision (P06) ([431f428](431f428)) * **ingestion:** add top-20 framework detection catalog and dispatcher ([02f4864](02f4864)) * **ingestion:** capture MCP tool inputSchema as canonical JSON ([9872710](9872710)) * **ingestion:** emit CodeElement stubs for external imports ([49eefe7](49eefe7)) * **ingestion:** emit file-level and community-level embeddings ([09a117f](09a117f)) * **ingestion:** FastAPI, Spring, NestJS, Rails route detectors ([62bebfb](62bebfb)) * **ingestion:** Go IMPLEMENTS method-set resolver + C++20 import ([85c60f9](85c60f9)) * **ingestion:** nested .gitignore with layered negation ([40b5286](40b5286)) * **ingestion:** populate DependencyNode license from manifest ([f947194](f947194)) * **ingestion:** provider-driven complexity + Halstead volume ([5e1379a](5e1379a)) * **ingestion:** soft-fail summarize on credential errors, thread summaryModel ([d90eb38](d90eb38)) * **ingestion:** WASM fallback via web-tree-sitter + --wasm-only flag ([cecb401](cecb401)) * **ingestion:** wire framework catalog into profile phase ([d491401](d491401)) * initial public release of opencodehub v0.1.1 ([3f23006](3f23006)) * replace LSP oracle with SCIP indexers (TS/Py/Go/Rust/Java) ([#32](#32)) ([1cceb24](1cceb24)) * v1 finalize Track C — debt sweep (7 ACs) ([#73](#73)) ([06d2bb1](06d2bb1)) ### Bug Fixes * **ingestion:** enumerate git submodule paths in the scan phase ([d290d04](d290d04)) * **ingestion:** skip submodule paths in the ownership blame pass ([e28f3e6](e28f3e6)) * **scip-ingest:** resolve caller/callee correctly for SCIP edges ([c15f928](c15f928)) ### Performance * **embeddings:** cross-node batching + worker pool ([#33](#33)) ([acb59d0](acb59d0)) ### Documentation * **repo:** pre-publish npm readiness — READMEs, GOVERNANCE, CODEOWNERS, package metadata ([dd10f72](dd10f72)) ### Refactoring * consolidate repo-local dir references on META_DIR_NAME ([ce4b63d](ce4b63d)) * **core-types:** centralize LanguageId in core-types ([4c33fc7](4c33fc7)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.1.1 * @opencodehub/core-types bumped to 0.2.0 * @opencodehub/embedder bumped to 0.1.1 * @opencodehub/storage bumped to 0.1.1 </details> <details><summary>mcp: 0.2.0</summary> ## [0.2.0](mcp-v0.1.0...mcp-v0.2.0) (2026-05-12) ### ⚠ BREAKING CHANGES * replace LSP oracle with SCIP indexers (TS/Py/Go/Rust/Java) ([#32](#32)) ### Features * **embedder:** replace Arctic Embed XS with gte-modernbert-base ([#31](#31)) ([1214071](1214071)) * initial public release of opencodehub v0.1.1 ([3f23006](3f23006)) * M7 LadybugDB default + IGraphStore abstraction hardening (Track A) ([#71](#71)) ([0175113](0175113)) * **mcp,cli:** join symbol summaries into query results (P04 surface) ([3d73b65](3d73b65)) * **mcp:** short-circuit list_findings_delta via stored baselineState ([4d9c187](4d9c187)) * **mcp:** surface structured FrameworkDetection in project_profile tool ([15fb309](15fb309)) * replace LSP oracle with SCIP indexers (TS/Py/Go/Rust/Java) ([#32](#32)) ([1cceb24](1cceb24)) * **search:** add filter-aware zoom retrieval across hierarchical tiers ([5ab80c4](5ab80c4)) * v1 finalize Track C — debt sweep (7 ACs) ([#73](#73)) ([06d2bb1](06d2bb1)) ### Documentation * **repo:** pre-publish npm readiness — READMEs, GOVERNANCE, CODEOWNERS, package metadata ([dd10f72](dd10f72)) ### Refactoring * **mcp:** consume shared tryOpenEmbedder + embeddingsPopulated from @opencodehub/search ([54f00de](54f00de)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.1.1 * @opencodehub/core-types bumped to 0.2.0 * @opencodehub/embedder bumped to 0.1.1 * @opencodehub/sarif bumped to 0.1.1 * @opencodehub/scanners bumped to 0.1.1 * @opencodehub/search bumped to 0.1.1 * @opencodehub/storage bumped to 0.1.1 </details> <details><summary>sarif: 0.1.1</summary> ## [0.1.1](sarif-v0.1.0...sarif-v0.1.1) (2026-05-12) ### Features * initial public release of opencodehub v0.1.1 ([3f23006](3f23006)) ### Documentation * **repo:** pre-publish npm readiness — READMEs, GOVERNANCE, CODEOWNERS, package metadata ([dd10f72](dd10f72)) </details> <details><summary>scanners: 0.1.1</summary> ## [0.1.1](scanners-v0.1.0...scanners-v0.1.1) (2026-05-12) ### Features * detect-secrets as 20th scanner (Track B) ([#72](#72)) ([8fbdd61](8fbdd61)) * **embedder:** replace Arctic Embed XS with gte-modernbert-base ([#31](#31)) ([1214071](1214071)) * initial public release of opencodehub v0.1.1 ([3f23006](3f23006)) * v1 finalize Track C — debt sweep (7 ACs) ([#73](#73)) ([06d2bb1](06d2bb1)) ### Documentation * **repo:** pre-publish npm readiness — READMEs, GOVERNANCE, CODEOWNERS, package metadata ([dd10f72](dd10f72)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/sarif bumped to 0.1.1 </details> <details><summary>search: 0.1.1</summary> ## [0.1.1](search-v0.1.0...search-v0.1.1) (2026-05-12) ### Features * detect-secrets as 20th scanner (Track B) ([#72](#72)) ([8fbdd61](8fbdd61)) * **embedder:** replace Arctic Embed XS with gte-modernbert-base ([#31](#31)) ([1214071](1214071)) * initial public release of opencodehub v0.1.1 ([3f23006](3f23006)) * M7 LadybugDB default + IGraphStore abstraction hardening (Track A) ([#71](#71)) ([0175113](0175113)) * **search:** add filter-aware zoom retrieval across hierarchical tiers ([5ab80c4](5ab80c4)) * **search:** extract tryOpenEmbedder + embeddingsPopulated, demote NullEmbedder throw ([c4cc680](c4cc680)) ### Documentation * **repo:** pre-publish npm readiness — READMEs, GOVERNANCE, CODEOWNERS, package metadata ([dd10f72](dd10f72)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/core-types bumped to 0.2.0 * @opencodehub/storage bumped to 0.1.1 </details> <details><summary>storage: 0.1.1</summary> ## [0.1.1](storage-v0.1.0...storage-v0.1.1) (2026-05-12) ### Features * **embedder:** replace Arctic Embed XS with gte-modernbert-base ([#31](#31)) ([1214071](1214071)) * **ingestion:** emit file-level and community-level embeddings ([09a117f](09a117f)) * initial public release of opencodehub v0.1.1 ([3f23006](3f23006)) * M7 LadybugDB default + IGraphStore abstraction hardening (Track A) ([#71](#71)) ([0175113](0175113)) * **mcp:** short-circuit list_findings_delta via stored baselineState ([4d9c187](4d9c187)) * **search:** add filter-aware zoom retrieval across hierarchical tiers ([5ab80c4](5ab80c4)) * **storage:** add granularity column to embeddings for hierarchical retrieval ([b5bd5f8](b5bd5f8)) * **storage:** add summary fields to SearchResult and batch lookup helper ([4944a56](4944a56)) * **storage:** persist structured FrameworkDetection in frameworks_json ([75423fe](75423fe)) * **storage:** populate reserved complexity, coverage, deadness columns ([c81e4c3](c81e4c3)) * v1 finalize Track C — debt sweep (7 ACs) ([#73](#73)) ([06d2bb1](06d2bb1)) ### Bug Fixes * **storage:** wire @ladybugdb/core binding, fix lbug open() guards, upgrade pnpm v10→v11 ([#93](#93)) ([78d6a85](78d6a85)) ### Documentation * **repo:** pre-publish npm readiness — READMEs, GOVERNANCE, CODEOWNERS, package metadata ([dd10f72](dd10f72)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/core-types bumped to 0.2.0 </details> <details><summary>root: 0.2.0</summary> ## [0.2.0](root-v0.1.1...root-v0.2.0) (2026-05-12) ### ⚠ BREAKING CHANGES * **release:** footers in the commit log. * replace LSP oracle with SCIP indexers (TS/Py/Go/Rust/Java) ([#32](#32)) ### Features * artifact factory + codehub init + CI UX fixes ([#38](#38)) ([d6ffafa](d6ffafa)) * cleanups ([bf1536e](bf1536e)) * **cli:** add --granularity flag to analyze for hierarchical embeddings ([defa9b6](defa9b6)) * **cli:** add --strict-detectors flag + ts-morph optional dep ([329f5c3](329f5c3)) * **cli:** add exact-name resolver and disambiguation flags to context ([7f279a9](7f279a9)) * **cli:** flip query hybrid-by-default with --bm25-only + --rerank-top-k ([3e924b5](3e924b5)) * **core-types:** scaffold v1.1 node-shape extensions for planned packets ([e17a4b5](e17a4b5)) * detect-secrets as 20th scanner (Track B) ([#72](#72)) ([8fbdd61](8fbdd61)) * **embedder:** add SageMaker backend for remote embeddings ([9b5c53d](9b5c53d)) * **embedder:** replace Arctic Embed XS with gte-modernbert-base ([#31](#31)) ([1214071](1214071)) * **gym:** add rust-spike trigger benchmark ([43c26d3](43c26d3)) * **ingestion:** [@doc](https://github.com/doc) captures + description field populated ([d63dfa6](d63dfa6)) * **ingestion:** add receiver resolver + detector precision (P06) ([431f428](431f428)) * **ingestion:** add top-20 framework detection catalog and dispatcher ([02f4864](02f4864)) * **ingestion:** capture MCP tool inputSchema as canonical JSON ([9872710](9872710)) * **ingestion:** emit CodeElement stubs for external imports ([49eefe7](49eefe7)) * **ingestion:** emit file-level and community-level embeddings ([09a117f](09a117f)) * **ingestion:** FastAPI, Spring, NestJS, Rails route detectors ([62bebfb](62bebfb)) * **ingestion:** Go IMPLEMENTS method-set resolver + C++20 import ([85c60f9](85c60f9)) * **ingestion:** nested .gitignore with layered negation ([40b5286](40b5286)) * **ingestion:** populate DependencyNode license from manifest ([f947194](f947194)) * **ingestion:** provider-driven complexity + Halstead volume ([5e1379a](5e1379a)) * **ingestion:** soft-fail summarize on credential errors, thread summaryModel ([d90eb38](d90eb38)) * **ingestion:** WASM fallback via web-tree-sitter + --wasm-only flag ([cecb401](cecb401)) * **ingestion:** wire framework catalog into profile phase ([d491401](d491401)) * initial public release of opencodehub v0.1.1 ([3f23006](3f23006)) * M7 LadybugDB default + IGraphStore abstraction hardening (Track A) ([#71](#71)) ([0175113](0175113)) * **mcp,cli:** join symbol summaries into query results (P04 surface) ([3d73b65](3d73b65)) * **mcp:** short-circuit list_findings_delta via stored baselineState ([4d9c187](4d9c187)) * **mcp:** surface structured FrameworkDetection in project_profile tool ([15fb309](15fb309)) * replace LSP oracle with SCIP indexers (TS/Py/Go/Rust/Java) ([#32](#32)) ([1cceb24](1cceb24)) * **scanners:** persist partialFingerprint, baselineState, suppressedJson ([fb4585d](fb4585d)) * **search:** add filter-aware zoom retrieval across hierarchical tiers ([5ab80c4](5ab80c4)) * **search:** extract tryOpenEmbedder + embeddingsPopulated, demote NullEmbedder throw ([c4cc680](c4cc680)) * **storage:** add granularity column to embeddings for hierarchical retrieval ([b5bd5f8](b5bd5f8)) * **storage:** add summary fields to SearchResult and batch lookup helper ([4944a56](4944a56)) * **storage:** persist structured FrameworkDetection in frameworks_json ([75423fe](75423fe)) * **storage:** populate reserved complexity, coverage, deadness columns ([c81e4c3](c81e4c3)) * v1 finalize Track C — debt sweep (7 ACs) ([#73](#73)) ([06d2bb1](06d2bb1)) * v1 finalize Track D — dogfood polish (6 ACs) ([#75](#75)) ([e9da048](e9da048)) ### Bug Fixes * **ci:** pin gopls@v0.18.1 for Go 1.23 + add pnpm build-script allowlist ([c78b31d](c78b31d)) * **cli:** accurate doctor native-binding + int8 weights checks ([fb569f9](fb569f9)) * **deps:** bump minimatch override to 9.0.7 (GHSA-23c5/-7r86) ([7f6e2ae](7f6e2ae)) * **deps:** pin brace-expansion/minimatch/picomatch to patched versions ([5a7d1e0](5a7d1e0)) * **deps:** refresh pnpm-lock.yaml with ts-morph optional dep from P06 ([0dfee11](0dfee11)) * **docs:** rename agents/*.md to .mdx so JSX components render ([#89](#89)) ([d2d8bc7](d2d8bc7)) * **gym:** update corpus test waiver ID to window.desktop after PR [#38](#38) rename ([933b5f2](933b5f2)) * **ingestion:** enumerate git submodule paths in the scan phase ([d290d04](d290d04)) * **ingestion:** skip submodule paths in the ownership blame pass ([e28f3e6](e28f3e6)) * **repo:** replace stale lsp-oracle tsconfig reference with scip-ingest ([0ce5e29](0ce5e29)) * **scip-ingest:** resolve caller/callee correctly for SCIP edges ([c15f928](c15f928)) * **storage:** wire @ladybugdb/core binding, fix lbug open() guards, upgrade pnpm v10→v11 ([#93](#93)) ([78d6a85](78d6a85)) ### Performance * **embeddings:** cross-node batching + worker pool ([#33](#33)) ([acb59d0](acb59d0)) ### Documentation * add SPECS, USECASE, and OBJECTIVES docs ([f3120de](f3120de)) * **adr:** record hierarchical embeddings decision (0004) ([6d28631](6d28631)) * **adr:** update 0002 with P09 Phase 1 measurements ([92b9a1c](92b9a1c)) * clean-slate v1 — drop migration prose, milestone framing, 0.x caveats ([#90](#90)) ([af88fbc](af88fbc)) * compound — durable lessons from docs site revival ([#88](#88)) ([95642f0](95642f0)) * compound — durable lessons from v1 upstream bug sweep ([#77](#77)) ([60eef57](60eef57)) * deep refresh + sync + new architecture pages ([3693ddd](3693ddd)) * **repo:** durable lesson — set NODE_ENV at script scope for astro in CI ([18c159b](18c159b)) * **repo:** durable lesson — stale tsconfig project references ([ea67d7a](ea67d7a)) * **repo:** EARS 006 spec — v1 finalize (M7 + constraint-10 + debt + dogfood) ([67198e3](67198e3)) * **repo:** pre-publish npm readiness — READMEs, GOVERNANCE, CODEOWNERS, package metadata ([dd10f72](dd10f72)) * restore Starlight site + refresh for v1 + agent-friendly USAGE section ([#87](#87)) ([d9b2b30](d9b2b30)) * **site:** add Astro Starlight docs site + GitHub Pages deploy ([#34](#34)) ([5ce0191](5ce0191)) * **site:** add llms.txt + Copy-as-Markdown + Open-in-ChatGPT/Claude ([#36](#36)) ([149ba4e](149ba4e)) * **site:** inject LLM-nav banner + 'See also' footer into every .md ([#37](#37)) ([77190a5](77190a5)) * strip legacy stanzas + capture session lessons ([85f6881](85f6881)) ### Refactoring * consolidate repo-local dir references on META_DIR_NAME ([ce4b63d](ce4b63d)) * **core-types:** centralize LanguageId in core-types ([4c33fc7](4c33fc7)) * **mcp:** consume shared tryOpenEmbedder + embeddingsPopulated from @opencodehub/search ([54f00de](54f00de)) * **plugin:** file-level packet skeletons for codehub-document ([40a09c8](40a09c8)) ### CI * **release:** keep 0.x semver — breaking changes bump minor, feats bump patch ([a6ee4bf](a6ee4bf)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Laith Al-Saadoon <alsaadoonlaith@gmail.com> Co-authored-by: Laith Al-Saadoon <9553966+theagenticguy@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Track D — leg 4/4 of v1.0 finalize. CI / lefthook / mise dogfood polish per
.erpaval/specs/006-v1-finalize/spec.md§Track D.feat(ci): add standalone Semgrep workflow(9b36bf4) —semgrep/semgrepcontainer,p/auto + p/owasp-top-ten, SARIF upload ascategory: semgrep.feat(ci): split OSV-Scanner into standalone workflow(22253da) — extract from embeddedci.ymljob intoosv.yml. Bumped pin v2.3.5 → v2.3.8 (released 2026-05-08, fixes only).feat(ci): add self-scan dogfood workflow(0e43d06) —och-self-scan.ymlrunscodehubon itself viapnpm exec node packages/cli/dist/index.js(nopnpm link --global— removed in pnpm 11.x).feat(ci): attach codehub code-pack as a release asset(1ab82a6) — inline inrelease-please.ymlgated onsteps.release.outputs.release_created; a separaterelease: publishedworkflow would not fire under defaultGITHUB_TOKEN(research finding). Latent same-bug insbom.ymlflagged for follow-on.chore(repo): polish lefthook config to claude-sql parity(4cf07a8) —min_version,assert_lefthook_installed,glob_matcher: doublestar,output:blocks,templates: {pnpm}, per-jobfail_text/priority/skip/files:diff-scoping. NEW pre-commitpnpm-lock-syncjob. NEW pre-pushverdictjob with graceful-degrade guard for un-indexed checkouts.chore(repo): add och:self-* dogfood mise tasks + pack:determinism(3894ca9) —pack:determinismwired intocheck:fulldeps; 4 dogfood tasks (analyze/scan/verdict/pack).drop --exit-code from codehub verdict invocations(55dc684) — pre-push hook on first run caught a CLI-spec mismatch; verdict already exits with non-zero onblockby default, no flag needed.make pre-push verdict hook degrade gracefully on un-indexed dev boxes(044ef43) — guard on presence of.codehub/graph.duckdborgraph.lbug, mirroringpack-determinism-audit.shSKIP shape.Spec coordinate sweep: zero
AC-*/M-*/W-*/CL-*leakage in source per.erpaval/solutions/best-practices/no-spec-coordinate-leakage-into-source.md.Validation
mise run checkexit 0 (lint + typecheck + test 235/235 cli + 17 packages green + banned-strings).mise run pack:determinismSKIP-clean (no.codehub/duck.dbon dev — graceful, expected).mise run check:full --dry-runconfirmspack:determinismwired into the DAG.bash scripts/check-banned-strings.shPASS — every commit gated by lefthook pre-commit hook.yaml.safe_load;mise.tomlparses viatomli.load.API freshness — research-grounded 2026-05-09
./.erpaval/sessions/session-85faf1/research-track-d.mdcites every API decision against the upstream source: codeql-action@v4, checkout@v6, upload-artifact@v7, mise-action@v4, release-please-action@v5, semgrep/semgrep, osv-scanner v2.3.8, lefthook v2.1.6 schema, mise.toml task syntax, pnpm 11.x removal ofpnpm link --global.Test plan
semgrep.ymlruns (dispatch on push to PR) and uploads SARIF to Code Scanning undercategory: semgrep.osv.ymlruns and uploads SARIF undercategory: osv-scanner; embeddedci.ymlosv:job is gone.och-self-scan.ymlworkflow_dispatches successfully on this branch (manual trigger from Actions tab).mise run pack:determinismafter runningcodehub analyzeon a clean checkout to confirm byte-identity.sbom.ymlfromrelease: [published]→ inline inrelease-please.ymlper the same finding that drove AC-D-4.Adjacent debt flagged for follow-on PRs
sbom.ymlhas the samerelease: [published]+ defaultGITHUB_TOKENlatent bug as the prior AC-D-4 design. One-line workflow change to inline; out of scope here.lefthook.ymlcore.hooksPathhint surfaces every commit on this dev box; cosmetic — local clone has.git/hooksset explicitly.Rollback
Each AC commit touches disjoint files (different
.ymlworkflows /lefthook.yml/mise.toml). Any AC can be reverted independently withgit revert <sha>without disturbing the others.