chore: containerized dev env, Scorecard hash-pinning, agent-docs audit fixes#1013
Merged
Conversation
…P servers Self-contained dev container that runs Claude Code plus the project's MCP servers (Context7, codegraph, Serena) and the full `make pre-commit` / `make ci` gate against a mounted checkout. - Dockerfile (Ubuntu noble): Rust 1.94 stable + nightly, Node 24, Python 3.12 + uv/maturin, rust-analyzer/pyright/clangd/bash language servers, and the lint tools pinned to the CI versions (SHA256-verified). - MCP servers are registered into Claude Code's user scope at build time from docker/mcp.json, so `claude` launches them as stdio subprocesses — no docker-compose, no separate server containers. - Makefile targets dev-env-build/run/shell/rm (plain docker build/run; host UID/GID passed as build args so the bind mount stays writable). - Optional docker/certs/ drop-in trusts corporate/proxy root CAs so the image builds behind a TLS-intercepting proxy; ships empty, certs git-ignored. Verified building and running on linux/arm64.
Address three OpenSSF Scorecard alerts:
- Pinned-Dependencies: CI workflows now install Python tooling from
hash-pinned exports of uv.lock (big-code-analysis-py/requirements/
{dev,examples}.txt, regenerated by `make py-relock`) with
`pip install --require-hashes`, replacing the floor-range installs
and the unpinned `pip install --upgrade pip` steps. Wheel smoke jobs
install the just-built wheel by explicit dist/*.whl path with
--no-deps. This also closes the "CI does not consume uv.lock" gap.
- Vulnerabilities: bump transitive deps anyhow 1.0.102 -> 1.0.103
(RUSTSEC-2026-0190) and memmap2 0.9.10 -> 0.9.11
(RUSTSEC-2026-0186); neither affected API is called directly.
- Binary-Artifacts: remove test_ext, a 4.3 MB compiled debug binary
accidentally committed at the repo root. Nothing referenced it.
pytest-cov joins the dev extra and maturin the examples extra so the
exports cover exactly what each CI job needs.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Audit of CLAUDE.md, AGENTS.md, and all 17 .claude/skills/ definitions against the repo surfaced ~35 verified defects; fix them all: - Default branch: CLAUDE.md's worktree section claimed the default branch is `master` (backwards); seven skills inherited failing `git checkout -b ... master` / `git diff master...HEAD` commands. All now say `main`. - CLI interface: audit-crate, audit-file, improve-crate, and scan-project invoked the retired upstream form `big-code-analysis-cli -m -O json -p <path>` (silently no-opping behind `|| true`); now `bca metrics -O json <path>`. - exit vs nexits: add-lang and scan-project referenced the nonexistent src/metrics/exit.rs and an exit_min accessor; audit-naming's canonical metric vocabulary gained nexits/tokens. - Stability contract: AGENTS.md still described a published 1.x library with breaks reserved for 2.0 (2.0.1 shipped); reframed to the current major line / next major (3.0). Stale macro paths (src/macros.rs -> src/macros/, c_langs_macros/ -> src/c_langs_macros/) fixed here and in three skills. - MCP deps: fix-issue, issue-plan, and batch-fix hard-required the unconfigured sequential-thinking server (issue-plan's guardrail made it non-negotiable) and fix-issue named a nonexistent serena:activate_project tool; all now degrade to inline reasoning and use serena:initial_instructions. - Read-only contract: issue-triage created GitHub labels despite declaring itself read-only; it now detects and reports missing labels instead. - Validation gates: improve-crate, cleanup-crate, and batch-fix ran only the raw cargo trio; the canonical `make pre-commit` now runs once on each integration branch (fast trio stays per-agent), in branch mode too. batch-fix agents gained the snapshot-anchoring and big-code-analysis-output submodule discipline they were never told about. - scan-project: partition C falsely claimed language_c.rs / language_mozcpp.rs do not exist; c, mozcpp, objc, irules were in no partition; "encodes every lesson" overstated a checklist that maps to lessons <= 28 of 60. Partitions fixed, claims corrected. - Smaller: CLAUDE.md skills table gained add-lang and batch-fix plus a note that the bca-check hook is opt-in; rust-optimize's D1 example no longer uses banned panic!, its MSRV matrix acknowledges the 1.94 floor, dead allowed-tools entries dropped; four skills now cite .claude/rules/macro-comments.md at their macro-consolidation steps; fix-issue cites the test-via-revert rule and the real `## [Unreleased]` changelog convention; incomplete workspace-crate lists gained big-code-analysis-py / xtask / enums. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three related chores: a containerized dev environment, OpenSSF Scorecard remediation, and an audit-driven cleanup of the agent instructions that both efforts surfaced.
chore(docker): containerized dev environment for Claude Code + MCP servers (f7afe10)
Self-contained dev container that runs Claude Code plus the project's MCP servers (Context7, codegraph, Serena) and the full
make pre-commit/make cigate against a mounted checkout.docker/mcp.json, soclaudelaunches them as stdio subprocesses — no docker-compose, no separate server containers.dev-env-build/run/shell/rm(plain docker build/run; host UID/GID passed as build args so the bind mount stays writable).docker/certs/drop-in trusts corporate/proxy root CAs for building behind a TLS-intercepting proxy; ships empty, certs git-ignored.Verified building and running on linux/arm64.
chore(security): hash-pin CI Python tooling, clear RUSTSEC advisories (154e332)
Addresses three OpenSSF Scorecard alerts:
uv.lock(big-code-analysis-py/requirements/{dev,examples}.txt, regenerated bymake py-relock) withpip install --require-hashes, replacing floor-range installs and unpinnedpip install --upgrade pipsteps. Wheel smoke jobs install the just-built wheel by explicitdist/*.whlpath with--no-deps. This also closes the "CI does not consume uv.lock" gap.test_ext, a 4.3 MB compiled debug binary accidentally committed at the repo root. Nothing referenced it.docs(agents): fix stale references across skills and instructions (9f7a396)
Audit of
CLAUDE.md,AGENTS.md, and all 17.claude/skills/definitions against the repo surfaced ~35 verified defects, all fixed. Highlights:mastertomainin CLAUDE.md and seven skills whosegit checkout -b/git diffcommands were failing.big-code-analysis-cli -m -O json -p <path>(silently no-opping behind|| true); nowbca metrics -O json <path>.serena:activate_projecttool.make pre-commitgate on integration branches; batch-fix agents gained the snapshot-anchoring and output-submodule discipline.nexitsvsexit, dead allowed-tools entries, missing workspace crates in listings).Validation
make pre-commitclean on the branch (cargo fmt/clippy/test/doc, udeps, lint families, man-page drift, self-scan gates, Python stages).make actionlint.