From 4d3e4821db9a466904fe0f2db93a040bf0e5cbc5 Mon Sep 17 00:00:00 2001 From: btwshivam Date: Sun, 17 May 2026 05:49:22 +0530 Subject: [PATCH 1/2] docs: backend module renamed to github.com/optiqor/optiqor; fix CI badge URL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The proprietary monorepo's Go module changed from github.com/optiqor/backend to github.com/optiqor/optiqor. Update the "forbidden import" rule in CLAUDE.md and todo.md so the OSS guardrail references the current name. CI badge URL in README.md was pointing at the wrong workflow path (optiqor/optiqor instead of optiqor/optiqor-cli) — fixed. --- CLAUDE.md | 2 +- README.md | 2 +- todo.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 3a3fc26..2a50859 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -16,7 +16,7 @@ These are not preferences. They are conditions for the OSS funnel to work. - **No LLM calls.** The CLI is a deterministic rule engine. The Sonnet/Opus/Haiku-driven Apply Fix flow lives in the backend, not here. If you find yourself wanting to call an LLM from the CLI, the answer is "send to the SaaS backend's sandbox endpoint instead." - **No telemetry by default.** Zero-config install must not phone home. An opt-in `--share` flag uploads a sanitized analysis to `optiqor.dev/r/` for sharing — that is the only network egress. - **Accuracy disclosure is mandatory in every output.** Every analysis result includes "Sandbox accuracy: ±40%. Install the Optiqor agent for exact numbers (optiqor.dev/get)." Do not remove this. Do not make it dismissible by default. The honesty is the whole pitch. -- **No proprietary backend code may be imported here.** This repo's `go.mod` must never reference `github.com/optiqor/backend`. The CLI is independently buildable, independently auditable, independently licensable. +- **No proprietary backend code may be imported here.** This repo's `go.mod` must never reference `github.com/optiqor/optiqor`. The CLI is independently buildable, independently auditable, independently licensable. - **`pkg/` is the stable public surface.** External programs may import it. Breaking changes go through semver and a deprecation notice. The Optiqor proprietary backend imports `pkg/rules` (the 30-detector library) and `pkg/parser` (Helm values normaliser) directly — this is *the* mechanism by which the SaaS reuses CLI rule definitions instead of forking them. **New detectors land in `pkg/rules` first; the backend follows automatically via vendored module + golden parity tests.** - **`internal/` is private.** Refactor freely. Anything in `internal/` (analyze, render, share, config, render/style) is CLI-side composition that should stay out of the public API surface. diff --git a/README.md b/README.md index c17def9..51ac427 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ [![npm](https://img.shields.io/npm/v/@optiqor/cli.svg?label=%40optiqor%2Fcli&color=blue)](https://www.npmjs.com/package/@optiqor/cli) [![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE) [![Go Reference](https://pkg.go.dev/badge/github.com/optiqor/optiqor-cli.svg)](https://pkg.go.dev/github.com/optiqor/optiqor-cli) -[![CI](https://img.shields.io/github/actions/workflow/status/optiqor/optiqor/ci.yml?branch=main&label=ci)](https://github.com/optiqor/optiqor-cli/actions/workflows/ci.yml) +[![CI](https://img.shields.io/github/actions/workflow/status/optiqor/optiqor-cli/ci.yml?branch=main&label=ci)](https://github.com/optiqor/optiqor-cli/actions/workflows/ci.yml) [![Downloads](https://img.shields.io/npm/dm/@optiqor/cli.svg)](https://www.npmjs.com/package/@optiqor/cli) ```sh diff --git a/todo.md b/todo.md index 56a46d2..dec98f6 100644 --- a/todo.md +++ b/todo.md @@ -50,5 +50,5 @@ These are conditions for the OSS funnel to work. See [CLAUDE.md](CLAUDE.md) for - **No LLM calls.** The CLI is a deterministic rule engine. - **No telemetry by default.** Only `--share` egresses (opt-in). - **Accuracy disclosure mandatory in every output.** Verbatim string; renderers must include it. -- **No proprietary backend code imported.** `go.mod` must never reference `github.com/optiqor/backend`. +- **No proprietary backend code imported.** `go.mod` must never reference `github.com/optiqor/optiqor`. - **`pkg/` is the stable public API.** Breaking changes go through semver and a deprecation notice. From c87d06b31502985e3a6ab41abd8b81548b14ef89 Mon Sep 17 00:00:00 2001 From: btwshivam Date: Sun, 17 May 2026 05:54:34 +0530 Subject: [PATCH 2/2] fix(ci): unbreak markdown-link-check on standalone checkout Two cross-repo links (../todo.md, ../docs/open_source_cli_playbook.md) only resolve in the dev's local checkout where optiqor-cli is a sibling of the proprietary monorepo. They 404 in CI which only has this repo. Replaced with descriptive prose. External links: replaced the stale sigstore docs URL with the cosign repo (stable). Added ignorePatterns for the unpublished npm package URL and the (not-yet-enabled) Discussions tab. --- .github/mlc-config.json | 4 +++- CLAUDE.md | 2 +- README.md | 2 +- todo.md | 6 +++--- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/mlc-config.json b/.github/mlc-config.json index e3b730f..efb2d33 100644 --- a/.github/mlc-config.json +++ b/.github/mlc-config.json @@ -4,7 +4,9 @@ { "pattern": "^http://127\\.0\\.0\\.1" }, { "pattern": "^http://0\\.0\\.0\\.0" }, { "pattern": "^https://optiqor\\.com" }, - { "pattern": "^https://optiqor\\.dev" } + { "pattern": "^https://optiqor\\.dev" }, + { "pattern": "^https://www\\.npmjs\\.com/package/@optiqor/" }, + { "pattern": "^https://github\\.com/optiqor/optiqor-cli/discussions" } ], "timeout": "10s", "retryOn429": true, diff --git a/CLAUDE.md b/CLAUDE.md index 2a50859..bd3247e 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -1,6 +1,6 @@ # cli — Claude Conventions -This is the **open-source** Optiqor CLI (`@optiqor/cli`). It must remain independently auditable as Apache-2.0 OSS — that is the entire reason it lives in a separate repo from the proprietary backend. Strategy reference: [../docs/open_source_cli_playbook.md](../docs/open_source_cli_playbook.md). +This is the **open-source** Optiqor CLI (`@optiqor/cli`). It must remain independently auditable as Apache-2.0 OSS — that is the entire reason it lives in a separate repo from the proprietary backend. Strategy reference: `docs/open_source_cli_playbook.md` in the Optiqor org monorepo (not public). ## Stack diff --git a/README.md b/README.md index 51ac427..463654f 100644 --- a/README.md +++ b/README.md @@ -87,7 +87,7 @@ sudo mv optiqor /usr/local/bin/ ``` > [!TIP] -> All release artifacts are signed with [Cosign](https://docs.sigstore.dev/cosign/overview/). Verification instructions on the [release page](https://github.com/optiqor/optiqor-cli/releases). +> All release artifacts are signed with [Cosign](https://github.com/sigstore/cosign). Verification instructions on the [release page](https://github.com/optiqor/optiqor-cli/releases). ### Option 5: Build from source diff --git a/todo.md b/todo.md index dec98f6..d18f1ff 100644 --- a/todo.md +++ b/todo.md @@ -1,9 +1,9 @@ # optiqor-cli — repo-local todo This file tracks CLI-only work. The org-level roadmap that wires both -repos and the strategy docs is in [../todo.md](../todo.md); items -here are scoped to what lands inside this repo's `cmd/`, `internal/`, -or `pkg/`. +repos and the strategy docs lives in the Optiqor org monorepo (not +public); items here are scoped to what lands inside this repo's +`cmd/`, `internal/`, or `pkg/`. ## Recently shipped