26T1-DEV-RL-001 | Move to Oxlint

[liyunze-coding]

Summary

Add Oxlint and update CI to use it, instead of Superlint, ESLint and other linting in the project.

Type of Change

• Bug fix
• New feature
• Breaking change
• Refactor / code cleanup
• Documentation
• CI/CD / infrastructure
• Security

Affected Components

• /backend-api
• /frontend
• /engine (collectors / policies)
• /security
• /infrastructure
• /.github/workflows
• /docs

Motivation

Link to Planner

Testing Done

• Unit tests pass locally
• Tested manually — describe how:
• No tests required — explain why:

Security Considerations

No security considerations.

Breaking Changes

• No breaking changes
• Yes — describe below:

Rollback Plan

• Revert commit is sufficient
• Requires additional steps — describe below:

Checklist

• Code follows project conventions
• No secrets, credentials, or tokens committed
• Relevant documentation updated (if applicable)
• CI/CD workflows pass on this branch
• PR is focused on one thing

[github-actions]

CI: Frontend

Job	Result
Security analysis (CodeQL)	✅ success
Lint	✅ success

All checks passed.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dd7f285539

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Restore CI triggers for staging/dev integration branches

This workflow now only runs on main (push and pull_request), so backend checks no longer execute for PRs that target staging or dev. The previous workflow covered those branches, and removing them means integration failures can bypass CI until the final merge into main, which weakens the release gate for the backend module.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Include all dependency paths in Grype workflow triggers

The workflow claims to scan dependency manifests across the repo, but its paths filter only watches frontend/**, backend-api/**, and engine/**. Dependency changes in other tracked locations (for example security/**, root package-lock.json, or tools/**) will not run this scan on PR/push events, delaying vulnerability detection until the weekly cron.

Useful? React with 👍 / 👎.