You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Context\nPR #11 merged as e4f6c16 after current-head CI/security/release gates passed. The remaining review threads were classified as non-blocking for the read-only MCP/Voyage v1.6.7 runtime gate, but several are still worth handling as hardening/product polish.\n\n## Follow-up Queue\n- [ ] Decide policy for the devcontainer Bun installer: keep documented trusted remote installer or replace with pinned tarball + per-arch sha256.\n- [ ] Revisit the Claude review workflow permission model around --dangerously-skip-permissions; current triggers are trusted actor only, but this is a policy/security-hardening decision.\n- [ ] Improve require-safe-parse autofix ergonomics so generated fixes cannot leave parseSourceSafe undefined, or mark the rule non-fixable.\n- [ ] Fix web chat no-tool/DeepSeek transcript persistence issues so assistant-only/no-tool turns are not misclassified as reasoning-only and provider capability changes are picked up immediately.\n- [ ] Preserve parallel same-node-pair relations in the force graph view, especially Vue event/call edges.\n- [ ] Audit Node 20 action deprecation warnings and move compatible actions toward Node 24 before GitHub runner defaults change.\n\n## Non-blocking Evidence\n- PR #11 current-head checks were green before merge.\n- Post-merge main runs on e4f6c16: Release Candidate, CodeQL, Gitleaks, Scorecard, Trivy, Devcontainer Smoke, and Dependency Graph all succeeded.\n- Local canonical MCP smoke passed against /Volumes/LEXAR/repos/GitNexus/gitnexus/dist/cli/index.js with read-only tools only and bounded query output.\n\nThis issue is intentionally post-merge follow-up work, not a rollback/blocker for the canonical GitNexus MCP runtime.
Context\nPR #11 merged as e4f6c16 after current-head CI/security/release gates passed. The remaining review threads were classified as non-blocking for the read-only MCP/Voyage v1.6.7 runtime gate, but several are still worth handling as hardening/product polish.\n\n## Follow-up Queue\n- [ ] Decide policy for the devcontainer Bun installer: keep documented trusted remote installer or replace with pinned tarball + per-arch sha256.\n- [ ] Revisit the Claude review workflow permission model around
--dangerously-skip-permissions; current triggers are trusted actor only, but this is a policy/security-hardening decision.\n- [ ] Improverequire-safe-parseautofix ergonomics so generated fixes cannot leaveparseSourceSafeundefined, or mark the rule non-fixable.\n- [ ] Fix web chat no-tool/DeepSeek transcript persistence issues so assistant-only/no-tool turns are not misclassified as reasoning-only and provider capability changes are picked up immediately.\n- [ ] Preserve parallel same-node-pair relations in the force graph view, especially Vue event/call edges.\n- [ ] Audit Node 20 action deprecation warnings and move compatible actions toward Node 24 before GitHub runner defaults change.\n\n## Non-blocking Evidence\n- PR #11 current-head checks were green before merge.\n- Post-merge main runs on e4f6c16: Release Candidate, CodeQL, Gitleaks, Scorecard, Trivy, Devcontainer Smoke, and Dependency Graph all succeeded.\n- Local canonical MCP smoke passed against /Volumes/LEXAR/repos/GitNexus/gitnexus/dist/cli/index.js with read-only tools only and bounded query output.\n\nThis issue is intentionally post-merge follow-up work, not a rollback/blocker for the canonical GitNexus MCP runtime.