build(deps): bump github/codeql-action from 3 to 4#9
Closed
dependabot[bot] wants to merge 167 commits into
Closed
Conversation
Slidev slide deck for stakeholder presentation covering: - Problem statement and cost of no enforcement - The AI Sandwich concept (AI + Determinism + AI) - Spec-driven generation workflow and YAML spec examples - Regeneration safety, schema types, and bundle ecosystem - Competitive comparison, production stats, and commercial model - Market timing, prior art, and Stage 1 scope Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Merged internal and business decks into slides-business/ - Internal deck (slides/) refocused as internal go/no-go discussion - Business plan rewritten around end-to-end pipeline (spec → generate → deploy) - Product framing evolved: individual dev capture/replay → org transformation - New slides: platform team workflow, developer/PM roles, AI-enabled team structure - Product architecture: pluggable pipeline integrations (GitHub Actions, GitLab CI) - Acquisition research with real comps (Astral, Bun, DX, Promptfoo, Windsurf) - Honest assessment of business options, risks, and open questions - Removed MCP-first strategy in favour of CLI-native (AI agents call CLIs directly) - Removed Terraform branding, marketplace assumptions, inflated revenue projections Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New slides-org/ deck focused on org transformation story "Smaller Teams. Faster Delivery. Fewer Handoffs." - Website updated: hero, problem, AI sandwich, how-it-works all reframed around coordination overhead and org change - New /ai-sandwich detail page with patent pending easter egg - AI Sandwich first layer split into Domain Specs + Template Curation - Examples changed from Pexa (workspace/compliance) to generic (orders) - Removed CQRS and DLQ as standalone features throughout - Business plan updated with target market, input adapters, design loops - Cloudflare Pages deployment configured (fixedcode-ai) - Added .gitignore for node_modules, dist, out, env files Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ctions Website: - Hero: tabbed terminal (AI Agent / CLI / CI Pipeline modes) - SVG sandwich diagram with hover glow animations - "Why not just one or the other?" section (AI vs scaffolding vs both) - AI Sandwich split: Domain Specs + Template Curation as separate activities - HowItWorks: syntax-highlighted code blocks, icons, role dissolving callout - Org Change section moved up, rewritten around role blurring - Proven at Scale section with 6 production stats - Who It's For section (mid-market regulated, fast-scaling, AI-adopting) - How It Scales section (individual → team → platform → enterprise) - Pricing page (/pricing) with 4 tiers: Free, Team ($99), Org ($499), Enterprise - /ai-sandwich detail page with patent pending easter egg - Light/dark mode toggle - Shared SVG icons (Person, Robot, Factory) used across site - Removed Pexa-specific examples (workspace → orders) - Removed CQRS/DLQ as standalone features - Generic task tracker references (not Jira-specific) - Human interaction lines highlighted in purple in terminal Slides: - AI Sandwich first layer split into Domain Specs + Template Curation - Stats show labels first, numbers reveal on click - ~3s generation time, 100% CFR compliance Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Code example section now tabbed: Domain Service, AI Agent, Orchestrator Same engine, different spec + bundle — demonstrated visually - Agent spec shows tools, middleware, auth generation - Orchestrator spec shows 4-agent sequential pipeline generation - Each tab shows spec input → generated file tree output - Removed outdated slides/ deck (superseded by slides-org/) - SchemaTypes: split into Services + AI Infrastructure categories - Bundles: added agent, MCP server, orchestrator bundles + "Your Pattern" card - Business plan kept — contains unique strategic content not in slides Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Merged unique slides from slides-business/ into slides-org/: Competitive Landscape, What We'd Build, What Gets Acquired - Deleted slides-business/ — all content now in slides-org/ - Single deck at /slides/ covers everything: org transformation, product, market, acquisition context, risks, decision Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Cleanroom rewrite of GAP CLI as a pluggable, spec-driven code generation engine. TypeScript, Handlebars, Commander, npm bundles. Addresses review feedback: multi-file generation, error handling, bundle loading mechanics, config resolution, post-render hooks. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
16 tasks across 4 phases: context model design, engine pipeline, CLI, and end-to-end integration. Context-model-first approach. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix {{../package}} → {{package}} (engine merges flat context)
- Remove broken require() code, use direct ESM import
- Add kebabPlural to NameVariants, use for endpoint computation
- Add {{/each}} boundary directory to template structure
- Fix loadConfig receiving file path instead of directory
- Add engine build step before spike bundle compilation
- Use consistent dirname(fileURLToPath()) pattern
- Explicitly list deferred items in Not Included section
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add configDir to FixedCodeConfig, set by loadConfig - Pass configDir to resolveBundle for local path resolution - Fix itemContext merge order (item takes precedence over parent) - Update all tests with configDir parameter Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Phase 1: DDD spike bundle with context model, enrichment functions, 28 passing tests
- Phase 2: Engine pipeline (parse, config, resolve, validate, render, write)
- Phase 3: CLI with generate, validate, init commands
- Handlebars rendering with {{#each}} directory iteration
- Bundle resolution from .fixedcode.yaml config
- bundle-crud-api with enrichment for resources, fields, endpoints - Generates Express router + TypeScript model interfaces - 5 REST endpoints per resource (GET list/item, POST, PUT, DELETE) - Custom Handlebars helpers in bundle
- Better validation error messages with path and details - Add bundle init command to scaffold new bundles - Updated CLI help with bundle commands
- Create spring-domain bundle with package.json, tsconfig, vitest config - Add schema.json defining DDD aggregates structure - Implement stub index.ts with enrich() and generateFiles() - Export FileEntry type from engine for bundle compatibility
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New deterministic bundle for generating CRUD tools backed by the r.dan
state KV. Input spec: { name, description, namespace?, fields[] }.
Output: a single handler with `action: add|list|get|update|delete`
dispatch, wired to getState/saveState/listState/deleteState helpers.
Fills the template gap that caused the media-tracker incident — builder
previously had no deterministic path for 'track/manage/store entity X'
requests and fell back to emitting unwired stub files. Paired with the
r.dan-side kernel-client additions and the namespace-scoped state
delete endpoint (separate commit).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…name rdan-dashboard-page-crud: New bundle that emits a full dashboard page YAML at registry/pages/<slug>.yaml. The page is a single custom component with inline HTML driving a CRUD form + list table via rdan.ui (button / input / select / table) and rdan.callTool against a paired state-crud tool. Never calls prompt() / confirm() / localStorage — the sandboxed iframe blocks those, which was the other half of the media-tracker failure. Delete uses an inline confirm/cancel toggle in the row so the page survives the output-shape lint and page-render gate. rdan-tool-state-crud fix: The enrich function exposed only a kebab-case Name, so the emitted TS record type came out as e.g. `type Recordmedia-crud = …` which doesn't compile. Add a PascalCase NamePascal and use it for the generated type name (RecordMediaCrud). Tested via end-to-end fixedcode generate against /tmp/state-crud-sample.yaml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…an-tool-local
Two linked changes that close the 'installed but broken' stub class:
rdan-tool-compute (new):
Pure-stateless JS computation kind. Spec: { tool: { name, description,
code, inputFields?, tags? } } where `code` is the real handler body.
Enrich refuses obvious stubs (`return {};`, `TODO: implement`, empty
body) so callers can't smuggle a placeholder through this path.
Covers coin flip / dice / hash / uuid / base64 / format-helper asks
that previously fell through to rdan-tool-local's source=code stub.
7 unit tests + end-to-end fixedcode-generate verification.
rdan-tool-local (changes):
Remove "code" from the source enum and reject source='code' in enrich
with a pointer to rdan-tool-compute. The IsCode context var and the
stub branch in the handler template are gone. Existing stub tools
registered against the old shape are tombstoned already; no live
regression.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Generates a Next.js dashboard route at dashboard/app/<slug>/page.tsx — a 3-pane scope -> item -> content browser wired to existing kernel routes via the /api/rdan/internal/<route> catch-all proxy. Spec shape covers scope listing, per-scope item listing (string-paths or object-with-name shape), and read/write endpoints for the editor. Mirrors the structure of rdan-dashboard-page-crud (schema.json + Hbs template + enrich.ts) but emits Next.js TSX instead of a sandboxed iframe page YAML. Used by r.dan/builder when classify-build-request returns kind=rdan-dashboard-nextjs-page (i.e. requests that wrap existing kernel routes — memory pages, log viewers, session inspectors). 4 enrich tests cover slug kebab-casing, default field fallbacks, and string-paths vs objects-with-name shape.
Spec covering 5 phases: cleanup (incl. rdan move + history rewrite), security review, documentation, CI/CD, npm publish. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Status flipped to Approved, Codecov skip behaviour spelled out, npm-name fallback documented, 2026-04-06 doc decision pre-resolved. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
40 tasks across 5 phases (cleanup, security review, docs, CI/CD, publish). References spec at 2026-05-08-productionise-fixedcode-design.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…il default) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Remove all rdan-* bundles (moved to ~/projects/r.dan/bundles/). - Strip rdan refs from .fixedcode.yaml and registry.json. - Excise rdan-agent sections from 2026-04-06 design doc. - Remove cruft: order-build/, build/, aggregates}}/, slides-org/, old-cli/, design PDFs (Engineering a Deterministic Global Platform.pdf, GAP CLI - Technical Deep Dive.pdf), stray root package.json + node_modules, *:Zone.Identifier files, order-domain.yaml. - Tighten .gitignore (add .DS_Store, *:Zone.Identifier, *-build/, *.tsbuildinfo, coverage/, .vitest-cache/, .eslintcache). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Remove dead bundles/ddd-basic (TS build broken on arrival, only ever one commit, superseded by spring-domain). Drop from .fixedcode.yaml. - Add --passWithNoTests to vitest in crud-api, mcp-wrapper, openapi generator (bundles without test files were exiting non-zero). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
12 findings consolidated from 4 parallel audit agents. Fix this phase: F-1 (bundle-init path traversal), F-5 (registryRepo arg), F-7 (npm install regex), F-8 (LLM baseUrl), F-9 (enrich LLM-output warning + docs). 7 medium/low findings deferred to issues. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- F-1: validateBundleName() in cli/bundle-init.ts rejects path traversal in `fixedcode bundle init <name>`. Pattern: ^[a-z0-9][a-z0-9_-]*$. - F-5: validateRegistryRepo() in engine/registry.ts rejects flag-style values that gh might interpret as options. Pattern: owner/repo. - F-7: tighten npm-install command parser. Disallow .. and absolute or relative paths in the package identifier. - F-8: validateBaseUrl() in engine/llm.ts allowlist of LLM hosts (openrouter, openai, anthropic, localhost). Reject http on non-loopback. Prevents API-key + project-content exfiltration via crafted .fixedcode.yaml. - F-9: print a privacy banner at the start of every enrich session listing the LLM endpoint and reminding the user to review via git diff before committing. Tests: 161/161 passing (+30 from new tests). Smoke test green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- F-7: extend install allow-list to accept github:owner/repo[#ref] spec (publishPackage produces this for bundles with a GitHub repo URL). Add INSTALL_GITHUB_PATTERN. Loosen npm version-range portion to accept ^/~/>=/+ semver operators while still rejecting .. - F-8: add IPv6 loopback [::1] to LLM allowlist. Bracket-normalise url.hostname for both WHATWG (kept brackets) and older parsers. - F-1 test: replace unintentionally-escaped null-byte test with a whitespace-rejection test that actually exercises the regex boundary. - Tests: 169/169 passing (+8 new). Smoke green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the high-severity Vite vulns flagged by `npm audit --audit-level=high` in engine and the moderate vulns in 8 bundles + openapi generator (all from old vitest 1.2.2 transitive). All packages now report 0 vulnerabilities. Tests: engine 169/169, spring-domain 46/46, python-agent 17/17 — all green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ELOG Productionisation Phase 3 root-level docs. README covers value prop, quickstart, concepts, bundle catalog, CFRs, and links to docs/ tree. SECURITY.md links the v0.2.0 findings doc and disclosure email. CHANGELOG.md initial 0.2.0 entry summarising the productionisation push. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bug, feature, and question issue templates plus a PR template that enforces a test plan and links. FUNDING.yml is commented-out by default. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…egistry, llm, release) Seven new docs covering the engine pipeline & contracts, bundle authoring, generator authoring, the CFR catalog & workflow, the registry distribution model, LLM trust boundaries & baseUrl allowlist, and the maintainer release playbook (npm trusted publisher, branch protection, pre-release checklist). All linked from README.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Each bundle README has a tagline, install command, generated-output summary, spec highlights, optional adapters note, and links into docs/. Engine README has a CLI command table and programmatic API summary. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- eslint.config.js (flat config, typescript-eslint, no-empty-object-type fix in spring-domain). Lint passes with 0 errors / 53 advisory warnings. - .prettierrc.json + .prettierignore. format check clean across the repo after a one-shot reformat (mostly trailing commas and quote normalisation). - Root package.json with scripts: lint, lint:fix, format, format:check. Tests: 169/169 still passing post-reformat. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- ci.yml: matrix on Node 20/22; lint, format check, typecheck, build, test the engine + each bundle + each generator, plus a smoke generation test. npm audit is advisory (continue-on-error). - release.yml: triggers on v* tags. npm publish --provenance with OIDC trusted publisher; falls back to NPM_TOKEN secret if configured. Creates a GitHub Release with auto-generated notes and the tarball attached. - codeql.yml: weekly + per-PR JS/TS scanning. - dependabot.yml: weekly npm and github-actions updates. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v3...v4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
Bot
deleted the
dependabot/github_actions/github/codeql-action-4
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps github/codeql-action from 3 to 4.
Release notes
Sourced from github/codeql-action's releases.
... (truncated)
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
fbba1e0Rebuild933238eUpdate changelog and version after v4.35.3e46ed2cMerge pull request #3867 from github/update-v4.35.3-8c6e48dbeb73d1d1Add changelog entry for #385324e0bb0Reorder changelog entriesec298daUpdate changelog for v4.35.38c6e48dMerge pull request #3865 from github/update-bundle/codeql-bundle-v2.25.37190983Add changelog note2bb2095Update default bundle to codeql-bundle-v2.25.3Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)