Skip to content

Chore/agpl license#23

Merged
bnz183 merged 2 commits into
mainfrom
chore/agpl-license
Jun 12, 2026
Merged

Chore/agpl license#23
bnz183 merged 2 commits into
mainfrom
chore/agpl-license

Conversation

@bnz183

@bnz183 bnz183 commented Jun 12, 2026

Copy link
Copy Markdown
Owner

No description provided.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dc096120da

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread SECURITY.md
Comment on lines +43 to +44
CI runs build, unit tests, and Playwright smoke tests; GitHub CodeQL analyzes
JavaScript/TypeScript and Actions workflows on pushes and PRs to `main`.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Don't claim CodeQL coverage before enabling it

As committed, the repo's only workflow is .github/workflows/ci.yml, which runs install/build/test/e2e and does not include github/codeql-action/init or github/codeql-action/analyze. Unless CodeQL default setup is enabled out-of-band, this SECURITY.md statement overstates the automated security coverage contributors can rely on; either add the CodeQL workflow/configuration or remove the claim.

Useful? React with 👍 / 👎.

@@ -0,0 +1 @@
Subproject commit e791f54723e8a630ae5316dbd6a14e0763924b51

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Remove the accidental gitlink worktree entry

This newly added 160000 gitlink records .claude/worktrees/project-guidance as a submodule commit, but there is no .gitmodules entry or URL for it. Any contributor or CI job that checks out submodules (for example git submodule update --init --recursive) will fail with no URL for this path, and the local Claude worktree should not be part of the repository history; remove the gitlink or add a real submodule configuration if it is intentional.

Useful? React with 👍 / 👎.

pnpm install --frozen-lockfile
pnpm build
pnpm test
pnpm exec playwright install chromium # first time only

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Run Playwright install in the studio workspace

This checklist presents the block as repo-root commands, but pnpm help exec says exec runs in the context of the current project and defaults --dir to /workspace/SourceDraft; in this repo @playwright/test is only a devDependency of apps/studio, so pnpm exec playwright install chromium from the root fails with Command "playwright" not found before the release e2e check can run. Use the same workspace-scoped form as CI, e.g. cd apps/studio && pnpm exec playwright install chromium or a --filter studio exec command.

Useful? React with 👍 / 👎.

- `LICENSE` is AGPL-3.0-or-later; no stray MIT references anywhere
- `.env` / `.env.local` gitignored and not committed
- No-secrets scan clean on tracked files (tokens, passwords, private keys):
`git grep -nIiE 'ghp_[A-Za-z0-9]|gho_[A-Za-z0-9]|BEGIN [A-Z]+ PRIVATE KEY' -- ':!*.example*'`

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Broaden the release-gate secret scan

This release gate is meant to catch tracked tokens and private keys, but the regex only covers older GitHub ghp_/gho_ tokens and single-word PEM labels. For this project that leaves common supported-provider secrets such as fine-grained GitHub PATs (github_pat_) and GitLab PATs (glpat-) — and OpenSSH private keys because of the space in OPENSSH PRIVATE KEY — undetected, so a release could pass this documented gate while still shipping credentials. Expand the pattern as in the public launch checklist or use a real secret scanner.

Useful? React with 👍 / 👎.

@bnz183 bnz183 merged commit 5739bc8 into main Jun 12, 2026
7 checks passed
@bnz183 bnz183 deleted the chore/agpl-license branch June 12, 2026 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant