Chore/agpl license#23
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: dc096120da
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| CI runs build, unit tests, and Playwright smoke tests; GitHub CodeQL analyzes | ||
| JavaScript/TypeScript and Actions workflows on pushes and PRs to `main`. |
There was a problem hiding this comment.
Don't claim CodeQL coverage before enabling it
As committed, the repo's only workflow is .github/workflows/ci.yml, which runs install/build/test/e2e and does not include github/codeql-action/init or github/codeql-action/analyze. Unless CodeQL default setup is enabled out-of-band, this SECURITY.md statement overstates the automated security coverage contributors can rely on; either add the CodeQL workflow/configuration or remove the claim.
Useful? React with 👍 / 👎.
| @@ -0,0 +1 @@ | |||
| Subproject commit e791f54723e8a630ae5316dbd6a14e0763924b51 | |||
There was a problem hiding this comment.
Remove the accidental gitlink worktree entry
This newly added 160000 gitlink records .claude/worktrees/project-guidance as a submodule commit, but there is no .gitmodules entry or URL for it. Any contributor or CI job that checks out submodules (for example git submodule update --init --recursive) will fail with no URL for this path, and the local Claude worktree should not be part of the repository history; remove the gitlink or add a real submodule configuration if it is intentional.
Useful? React with 👍 / 👎.
| pnpm install --frozen-lockfile | ||
| pnpm build | ||
| pnpm test | ||
| pnpm exec playwright install chromium # first time only |
There was a problem hiding this comment.
Run Playwright install in the studio workspace
This checklist presents the block as repo-root commands, but pnpm help exec says exec runs in the context of the current project and defaults --dir to /workspace/SourceDraft; in this repo @playwright/test is only a devDependency of apps/studio, so pnpm exec playwright install chromium from the root fails with Command "playwright" not found before the release e2e check can run. Use the same workspace-scoped form as CI, e.g. cd apps/studio && pnpm exec playwright install chromium or a --filter studio exec command.
Useful? React with 👍 / 👎.
| - `LICENSE` is AGPL-3.0-or-later; no stray MIT references anywhere | ||
| - `.env` / `.env.local` gitignored and not committed | ||
| - No-secrets scan clean on tracked files (tokens, passwords, private keys): | ||
| `git grep -nIiE 'ghp_[A-Za-z0-9]|gho_[A-Za-z0-9]|BEGIN [A-Z]+ PRIVATE KEY' -- ':!*.example*'` |
There was a problem hiding this comment.
Broaden the release-gate secret scan
This release gate is meant to catch tracked tokens and private keys, but the regex only covers older GitHub ghp_/gho_ tokens and single-word PEM labels. For this project that leaves common supported-provider secrets such as fine-grained GitHub PATs (github_pat_) and GitLab PATs (glpat-) — and OpenSSH private keys because of the space in OPENSSH PRIVATE KEY — undetected, so a release could pass this documented gate while still shipping credentials. Expand the pattern as in the public launch checklist or use a real secret scanner.
Useful? React with 👍 / 👎.
No description provided.