Skip to content

Post-merge hardening follow-ups from PR #11 review #19

Description

@100yenadmin

Context\nPR #11 merged as e4f6c16 after current-head CI/security/release gates passed. The remaining review threads were classified as non-blocking for the read-only MCP/Voyage v1.6.7 runtime gate, but several are still worth handling as hardening/product polish.\n\n## Follow-up Queue\n- [ ] Decide policy for the devcontainer Bun installer: keep documented trusted remote installer or replace with pinned tarball + per-arch sha256.\n- [ ] Revisit the Claude review workflow permission model around --dangerously-skip-permissions; current triggers are trusted actor only, but this is a policy/security-hardening decision.\n- [ ] Improve require-safe-parse autofix ergonomics so generated fixes cannot leave parseSourceSafe undefined, or mark the rule non-fixable.\n- [ ] Fix web chat no-tool/DeepSeek transcript persistence issues so assistant-only/no-tool turns are not misclassified as reasoning-only and provider capability changes are picked up immediately.\n- [ ] Preserve parallel same-node-pair relations in the force graph view, especially Vue event/call edges.\n- [ ] Audit Node 20 action deprecation warnings and move compatible actions toward Node 24 before GitHub runner defaults change.\n\n## Non-blocking Evidence\n- PR #11 current-head checks were green before merge.\n- Post-merge main runs on e4f6c16: Release Candidate, CodeQL, Gitleaks, Scorecard, Trivy, Devcontainer Smoke, and Dependency Graph all succeeded.\n- Local canonical MCP smoke passed against /Volumes/LEXAR/repos/GitNexus/gitnexus/dist/cli/index.js with read-only tools only and bounded query output.\n\nThis issue is intentionally post-merge follow-up work, not a rollback/blocker for the canonical GitNexus MCP runtime.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions