fix(deps): resolve Dependabot alerts, add docs site improvements

[jeremyeder]

Summary

• Resolve 8 of 10 open Dependabot security alerts by upgrading astro (5→6), starlight (0.34→0.38), fastmcp (2.x→3.x), pyjwt, pygments, and dropping diskcache
• Add starlight-llms-txt plugin — generates /llms.txt, /llms-full.txt, /llms-small.txt for LLM-friendly documentation access
• Add Claude Code Harness docs page — documents agents, skills, hooks, convention guard, continuous learning loop, migration to other tools, relationship to AGENTS.md/agentskills.io
• Add PR Review Gate docs page — documents inner-loop review flow, circuit breakers, self-reviewed label, merge queues (implements ADR-0008 documentation)
• Add Gerrit and CodeRabbit sections to integrations page
• Update /scaffold skill — add Documentation section and checklist items
• Remove stale token lifetime table from workspaces page (listed "No expiration" which doesn't exist)

Dependabot alerts resolved

Alert	Package	Ecosystem	Fix
#183, #184	astro	npm	5.x → 6.1.8
#144, #145, #146	fastmcp	pip	2.14.3 → 3.2.4 (uv override)
#143	Pygments	pip	2.19.2 → 2.20.0
#74	PyJWT	pip	2.11.0 → 2.12.1
#59	diskcache	pip	removed (fastmcp 3.x dropped it)

Remaining 2 alerts (docker/docker #134, #135) have no upstream Go module fix — v29.3.1 has not been published.

Test plan

• npm run build passes (31 pages, 0 vulnerabilities)
• Dev server renders all pages correctly (verified via curl)
• llms.txt files generated (llms.txt, llms-full.txt, llms-small.txt)
• Runner tests pass (592 passed, 11 skipped — 1 pre-existing flaky test on main)
• Visual review of harness and review-gate pages
• Verify mermaid diagrams render on deployed site

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added Gerrit and CodeRabbit integration setup guides and sidebar navigation.
  • Scaffold now includes a documentation step and updated post-scaffold checklist requiring integration docs and troubleshooting updates.

• Documentation

  • Added development harness and PR review-gate pages describing hooks, lifecycle, and merge flow.
  • Removed token-lifetime guidance from workspace API key docs.

• Chores

  • Upgraded documentation tooling and adjusted runner dependency constraints.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 7505c107-8daf-488f-bf7d-447e84ff5189

📥 Commits

Reviewing files that changed from the base of the PR and between dbc9bd3 and 9cc0395.

⛔ Files ignored due to path filters (2)

• components/runners/ambient-runner/uv.lock is excluded by !**/*.lock
• docs/package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json

📒 Files selected for processing (8)

• .claude/skills/scaffold/SKILL.md
• components/runners/ambient-runner/pyproject.toml
• docs/astro.config.mjs
• docs/package.json
• docs/src/content/docs/concepts/integrations.md
• docs/src/content/docs/concepts/workspaces.md
• docs/src/content/docs/development/harness.md
• docs/src/content/docs/development/review-gate.md

💤 Files with no reviewable changes (1)

• docs/src/content/docs/concepts/workspaces.md

✅ Files skipped from review due to trivial changes (5)

• .claude/skills/scaffold/SKILL.md
• components/runners/ambient-runner/pyproject.toml
• docs/src/content/docs/concepts/integrations.md
• docs/package.json
• docs/src/content/docs/development/review-gate.md

🚧 Files skipped from review as they are similar to previous changes (2)

• docs/astro.config.mjs
• docs/src/content/docs/development/harness.md

---

📝 Walkthrough

Walkthrough

This PR adds comprehensive documentation for Claude Code integrations (Gerrit, CodeRabbit) and development workflows (harness, review-gate), updates documentation dependencies and configuration to include the starlight-llms-txt plugin, upgrades Astro/Starlight versions, and refines dependency constraints in the ambient-runner package.

Changes

Cohort / File(s)	Summary
Documentation - Integrations & Scaffold .claude/skills/scaffold/SKILL.md, docs/src/content/docs/concepts/integrations.md	Added Gerrit and CodeRabbit integration setup docs; scaffold SKILL now requires documenting new integrations and updating troubleshooting tables post-scaffold.
Documentation - Development Workflows docs/src/content/docs/development/harness.md, docs/src/content/docs/development/review-gate.md	Added harness and PR review-gate pages documenting hook lifecycle, tool-call wrappers, convention guards, auto-format hooks, and the PR review gate flow (pre-PR interception, CodeRabbit review, block/allow logic, Mergify labeling).
Documentation Configuration & Frontend deps docs/astro.config.mjs, docs/package.json	Integrated starlight-llms-txt plugin and added sidebar slugs for new pages; upgraded @astrojs/starlight and astro versions.
Documentation - Workspace Changes docs/src/content/docs/concepts/workspaces.md	Removed the token-lifetime guidance table from the API key creation flow.
Dependency Management - ambient-runner components/runners/ambient-runner/pyproject.toml	Bumped pyjwt constraint (>=2.11.0 → >=2.12.0); added [tool.uv] with constraint-dependencies (pygments>=2.20.0) and override-dependencies (fastmcp>=3.2.0).

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer
  participant CLI as Claude CLI / ACP
  participant Harness as Harness (PreToolUse)
  participant Review as CodeRabbit Review Agent
  participant GitHub as GitHub (PR)
  participant Mergify as Mergify
  participant CI as CI

  Dev->>CLI: run `gh pr create`
  CLI->>Harness: PreToolUse interception
  Harness->>Review: run `coderabbit review --agent --base main`
  Review-->>Harness: findings (ok | errors)
  alt findings contain severity=error
    Harness->>CLI: block PR creation (exit 2)
    CLI->>Dev: surface errors (stderr)
    Dev->>CLI: iterate fixes & retry
    CLI->>Harness: repeat review loop
  else no blocking findings
    Harness->>GitHub: allow PR creation (exit 0)
    GitHub->>Mergify: apply `ambient-code:self-reviewed` label
    Mergify->>CI: re-run CI / auto-rebase / squash-merge if green
    CI-->>Mergify: pass | fail
    alt CI pass
      Mergify->>GitHub: merge PR
    else CI fail
      Mergify->>GitHub: eject PR
    end
  end

Loading

🚥 Pre-merge checks | ✅ 8

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format with type(scope): description and accurately summarizes the primary change: dependency upgrades resolving Dependabot alerts plus docs improvements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	PR contains no meaningful performance regressions: dependency upgrades (security/bug fixes), static build-time config changes, and pure documentation additions only.
Security And Secret Handling	✅ Passed	No hardcoded secrets, plaintext tokens, or auth vulnerabilities detected. All credential handling properly documented with external generation, environment variable injection, and K8s Secrets storage with OwnerReferences enforced.
Kubernetes Resource Safety	✅ Passed	PR modifies only documentation and configuration files; no Kubernetes manifests affected. Kubernetes Resource Safety checks are not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dependabot-astro-6-upgrade

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch fix/dependabot-astro-6-upgrade

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/dependabot-astro-6-upgrade

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 ready!

Name	Link
🔨 Latest commit	9cc0395
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/69e91cc2185d58000891fa83
😎 Deploy Preview	https://deploy-preview-1433--cheerful-kitten-f556a0.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@components/runners/ambient-runner/pyproject.toml`:
- Line 18: The dependency constraint "pyjwt>=2.12.0" is too loose and can
resolve to pre-patch vulnerable releases; update the minimum patched versions in
pyproject.toml (and similarly tighten the "fastmcp" requirement if present) to
the remediation minima (e.g., "pyjwt>=2.12.1" and "fastmcp>=3.2.4") so fresh
dependency resolution cannot pick older patched-vulnerable patch releases;
modify the dependency lines where "pyjwt>=2.12.0" and "fastmcp>=3.2.0" appear to
use the tightened >= versions.

In `@docs/src/content/docs/development/harness.md`:
- Line 8: Update the sentence that currently states hooks live only in
"scripts/claude-hooks/" to reflect both configured hook locations by mentioning
"scripts/claude-hooks/" and "scripts/hooks/" (and that both are configurable via
.claude/settings.json); update the instances at Line 8 and Line 152 so the doc
consistently instructs users to place hooks in either directory (or configure an
alternate path in .claude/settings.json) to avoid misplaced hooks and
non-executed automation.

In `@docs/src/content/docs/development/review-gate.md`:
- Around line 49-56: The docs incorrectly claim that running `bash
scripts/hooks/pr-review-gate.sh` in CI/standalone will execute the review;
update the documentation to instruct CI/manual runs to invoke `bash
scripts/hooks/coderabbit-review-gate.sh` instead because `pr-review-gate.sh`
only acts as a hook wrapper (gates `gh pr create`) and exits early when not run
as a CLAUDE hook; replace the reference to `pr-review-gate.sh` with
`coderabbit-review-gate.sh` and add a short note explaining the difference in
behavior between the two scripts (`pr-review-gate.sh` = hook wrapper,
`coderabbit-review-gate.sh` = standalone CI/manual runner).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: a4c9dc1b-aa75-4845-8d6d-60ac250120cf

📥 Commits

Reviewing files that changed from the base of the PR and between 341747a and dbc9bd3.

⛔ Files ignored due to path filters (2)

• components/runners/ambient-runner/uv.lock is excluded by !**/*.lock
• docs/package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json

📒 Files selected for processing (8)

• .claude/skills/scaffold/SKILL.md
• components/runners/ambient-runner/pyproject.toml
• docs/astro.config.mjs
• docs/package.json
• docs/src/content/docs/concepts/integrations.md
• docs/src/content/docs/concepts/workspaces.md
• docs/src/content/docs/development/harness.md
• docs/src/content/docs/development/review-gate.md

💤 Files with no reviewable changes (1)

• docs/src/content/docs/concepts/workspaces.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Declared floors in components/runners/ambient-runner/pyproject.toml:"
rg -n 'pyjwt>=|fastmcp>=' components/runners/ambient-runner/pyproject.toml

echo
echo "Resolved versions in uv.lock (if present):"
LOCK_FILE="$(fd -HI '^uv\.lock$' | head -n1 || true)"
if [ -n "$LOCK_FILE" ]; then
  rg -n -C2 'name = "(pyjwt|fastmcp|pygments)"|version = "' "$LOCK_FILE"
else
  echo "uv.lock not found"
fi

Repository: ambient-code/platform

Length of output: 50377

---

Specify patched minimum versions to prevent vulnerable patch regression.

pyjwt>=2.12.0 and fastmcp>=3.2.0 allow earlier patch releases than the target remediation versions (2.12.1 and 3.2.4). Fresh dependency resolution could select pre-patch versions. Tighten the constraints:

Proposed patch

 dependencies = [
@@
-  "pyjwt>=2.12.0",
+  "pyjwt>=2.12.1",
 ]
@@
 override-dependencies = [
-  "fastmcp>=3.2.0",
+  "fastmcp>=3.2.4",
 ]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@components/runners/ambient-runner/pyproject.toml` at line 18, The dependency
constraint "pyjwt>=2.12.0" is too loose and can resolve to pre-patch vulnerable
releases; update the minimum patched versions in pyproject.toml (and similarly
tighten the "fastmcp" requirement if present) to the remediation minima (e.g.,
"pyjwt>=2.12.1" and "fastmcp>=3.2.4") so fresh dependency resolution cannot pick
older patched-vulnerable patch releases; modify the dependency lines where
"pyjwt>=2.12.0" and "fastmcp>=3.2.0" appear to use the tightened >= versions.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Hook location guidance is inconsistent with the actual configured paths.

Line 8 and Line 152 imply hooks live only in scripts/claude-hooks/, but current configuration uses both scripts/claude-hooks/ and scripts/hooks/. This can lead to misplaced hooks and non-executed automation.

Proposed doc fix

-Everything lives under `.claude/` and `scripts/claude-hooks/`, configured through `.claude/settings.json`.
+Everything lives under `.claude/`, `scripts/claude-hooks/`, and `scripts/hooks/`, configured through `.claude/settings.json`.

-**New hook**: Add a script to `scripts/claude-hooks/`, register it in `.claude/settings.json` under the appropriate lifecycle event and tool matcher.
+**New hook**: Add a script to `scripts/claude-hooks/` or `scripts/hooks/` (matching existing hook categories), then register it in `.claude/settings.json` under the appropriate lifecycle event and tool matcher.

Also applies to: 152-152

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/src/content/docs/development/harness.md` at line 8, Update the sentence
that currently states hooks live only in "scripts/claude-hooks/" to reflect both
configured hook locations by mentioning "scripts/claude-hooks/" and
"scripts/hooks/" (and that both are configurable via .claude/settings.json);
update the instances at Line 8 and Line 152 so the doc consistently instructs
users to place hooks in either directory (or configure an alternate path in
.claude/settings.json) to avoid misplaced hooks and non-executed automation.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fix CI/standalone script reference; current command won’t run the review.

Line 55 says pr-review-gate.sh runs review directly, but that script only gates gh pr create when invoked as a hook and otherwise exits early. CI/manual execution should reference coderabbit-review-gate.sh.

Proposed doc fix

-The same script (`scripts/hooks/pr-review-gate.sh`) works in three contexts:
+The review gate uses `scripts/hooks/pr-review-gate.sh` as the Claude hook wrapper, and `scripts/hooks/coderabbit-review-gate.sh` for direct review execution.

 | Runtime | Mechanism |
 |---------|-----------|
 | **Claude Code CLI** | `.claude/settings.json` hooks loaded directly |
 | **ACP sessions** | Claude Agent SDK spawns CLI with `--setting-sources project` — same hooks apply |
-| **CI / standalone** | Run `bash scripts/hooks/pr-review-gate.sh` directly (no `CLAUDE_TOOL_INPUT` — runs review immediately) |
+| **CI / standalone** | Run `bash scripts/hooks/coderabbit-review-gate.sh` directly (no `CLAUDE_TOOL_INPUT` — runs review immediately) |

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	The same script (`scripts/hooks/pr-review-gate.sh`) works in three contexts:
	| Runtime | Mechanism |
	|---------|-----------|
	| **Claude Code CLI** | `.claude/settings.json` hooks loaded directly |
	| **ACP sessions** | Claude Agent SDK spawns CLI with `--setting-sources project` — same hooks apply |
	| **CI / standalone** | Run `bash scripts/hooks/pr-review-gate.sh` directly (no `CLAUDE_TOOL_INPUT` — runs review immediately) |
	The review gate uses `scripts/hooks/pr-review-gate.sh` as the Claude hook wrapper, and `scripts/hooks/coderabbit-review-gate.sh` for direct review execution.
	| Runtime | Mechanism |
	|---------|-----------|
	| **Claude Code CLI** | `.claude/settings.json` hooks loaded directly |
	| **ACP sessions** | Claude Agent SDK spawns CLI with `--setting-sources project` — same hooks apply |
	| **CI / standalone** | Run `bash scripts/hooks/coderabbit-review-gate.sh` directly (no `CLAUDE_TOOL_INPUT` — runs review immediately) |

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/src/content/docs/development/review-gate.md` around lines 49 - 56, The
docs incorrectly claim that running `bash scripts/hooks/pr-review-gate.sh` in
CI/standalone will execute the review; update the documentation to instruct
CI/manual runs to invoke `bash scripts/hooks/coderabbit-review-gate.sh` instead
because `pr-review-gate.sh` only acts as a hook wrapper (gates `gh pr create`)
and exits early when not run as a CLAUDE hook; replace the reference to
`pr-review-gate.sh` with `coderabbit-review-gate.sh` and add a short note
explaining the difference in behavior between the two scripts
(`pr-review-gate.sh` = hook wrapper, `coderabbit-review-gate.sh` = standalone
CI/manual runner).