Skip to content

chore: containerized dev env, Scorecard hash-pinning, agent-docs audit fixes#1013

Merged
dekobon merged 3 commits into
mainfrom
chore/dev-container
Jul 8, 2026
Merged

chore: containerized dev env, Scorecard hash-pinning, agent-docs audit fixes#1013
dekobon merged 3 commits into
mainfrom
chore/dev-container

Conversation

@dekobon

@dekobon dekobon commented Jul 8, 2026

Copy link
Copy Markdown
Owner

Three related chores: a containerized dev environment, OpenSSF Scorecard remediation, and an audit-driven cleanup of the agent instructions that both efforts surfaced.

chore(docker): containerized dev environment for Claude Code + MCP servers (f7afe10)

Self-contained dev container that runs Claude Code plus the project's MCP servers (Context7, codegraph, Serena) and the full make pre-commit / make ci gate against a mounted checkout.

  • Dockerfile (Ubuntu noble): Rust 1.94 stable + nightly, Node 24, Python 3.12 + uv/maturin, rust-analyzer/pyright/clangd/bash language servers, and the lint tools pinned to the CI versions (SHA256-verified).
  • MCP servers are registered into Claude Code's user scope at build time from docker/mcp.json, so claude launches them as stdio subprocesses — no docker-compose, no separate server containers.
  • Makefile targets dev-env-build/run/shell/rm (plain docker build/run; host UID/GID passed as build args so the bind mount stays writable).
  • Optional docker/certs/ drop-in trusts corporate/proxy root CAs for building behind a TLS-intercepting proxy; ships empty, certs git-ignored.

Verified building and running on linux/arm64.

chore(security): hash-pin CI Python tooling, clear RUSTSEC advisories (154e332)

Addresses three OpenSSF Scorecard alerts:

  • Pinned-Dependencies: CI workflows now install Python tooling from hash-pinned exports of uv.lock (big-code-analysis-py/requirements/{dev,examples}.txt, regenerated by make py-relock) with pip install --require-hashes, replacing floor-range installs and unpinned pip install --upgrade pip steps. Wheel smoke jobs install the just-built wheel by explicit dist/*.whl path with --no-deps. This also closes the "CI does not consume uv.lock" gap.
  • Vulnerabilities: bump transitive deps anyhow 1.0.102 → 1.0.103 (RUSTSEC-2026-0190) and memmap2 0.9.10 → 0.9.11 (RUSTSEC-2026-0186); neither affected API is called directly.
  • Binary-Artifacts: remove test_ext, a 4.3 MB compiled debug binary accidentally committed at the repo root. Nothing referenced it.

docs(agents): fix stale references across skills and instructions (9f7a396)

Audit of CLAUDE.md, AGENTS.md, and all 17 .claude/skills/ definitions against the repo surfaced ~35 verified defects, all fixed. Highlights:

  • Default branch corrected from master to main in CLAUDE.md and seven skills whose git checkout -b / git diff commands were failing.
  • Four skills invoked the retired CLI form big-code-analysis-cli -m -O json -p <path> (silently no-opping behind || true); now bca metrics -O json <path>.
  • AGENTS.md still described a published 1.x library with breaks reserved for 2.0; reframed to the current major line / next major (3.0). Stale macro paths fixed.
  • MCP dependencies degrade gracefully: skills no longer hard-require the unconfigured sequential-thinking server or a nonexistent serena:activate_project tool.
  • issue-triage no longer creates GitHub labels despite declaring itself read-only.
  • improve-crate, cleanup-crate, and batch-fix now run the canonical make pre-commit gate on integration branches; batch-fix agents gained the snapshot-anchoring and output-submodule discipline.
  • scan-project partition fixes (c, mozcpp, objc, irules were in no partition), plus assorted smaller corrections (nexits vs exit, dead allowed-tools entries, missing workspace crates in listings).

Validation

  • make pre-commit clean on the branch (cargo fmt/clippy/test/doc, udeps, lint families, man-page drift, self-scan gates, Python stages).
  • Dev container image build + interactive run verified on linux/arm64.
  • CI workflow edits validated with make actionlint.

dekobon and others added 3 commits July 7, 2026 19:38
…P servers

Self-contained dev container that runs Claude Code plus the project's MCP
servers (Context7, codegraph, Serena) and the full `make pre-commit` /
`make ci` gate against a mounted checkout.

- Dockerfile (Ubuntu noble): Rust 1.94 stable + nightly, Node 24, Python
  3.12 + uv/maturin, rust-analyzer/pyright/clangd/bash language servers,
  and the lint tools pinned to the CI versions (SHA256-verified).
- MCP servers are registered into Claude Code's user scope at build time
  from docker/mcp.json, so `claude` launches them as stdio subprocesses —
  no docker-compose, no separate server containers.
- Makefile targets dev-env-build/run/shell/rm (plain docker build/run;
  host UID/GID passed as build args so the bind mount stays writable).
- Optional docker/certs/ drop-in trusts corporate/proxy root CAs so the
  image builds behind a TLS-intercepting proxy; ships empty, certs
  git-ignored.

Verified building and running on linux/arm64.
Address three OpenSSF Scorecard alerts:

- Pinned-Dependencies: CI workflows now install Python tooling from
  hash-pinned exports of uv.lock (big-code-analysis-py/requirements/
  {dev,examples}.txt, regenerated by `make py-relock`) with
  `pip install --require-hashes`, replacing the floor-range installs
  and the unpinned `pip install --upgrade pip` steps. Wheel smoke jobs
  install the just-built wheel by explicit dist/*.whl path with
  --no-deps. This also closes the "CI does not consume uv.lock" gap.
- Vulnerabilities: bump transitive deps anyhow 1.0.102 -> 1.0.103
  (RUSTSEC-2026-0190) and memmap2 0.9.10 -> 0.9.11
  (RUSTSEC-2026-0186); neither affected API is called directly.
- Binary-Artifacts: remove test_ext, a 4.3 MB compiled debug binary
  accidentally committed at the repo root. Nothing referenced it.

pytest-cov joins the dev extra and maturin the examples extra so the
exports cover exactly what each CI job needs.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Audit of CLAUDE.md, AGENTS.md, and all 17 .claude/skills/ definitions
against the repo surfaced ~35 verified defects; fix them all:

- Default branch: CLAUDE.md's worktree section claimed the default
  branch is `master` (backwards); seven skills inherited failing
  `git checkout -b ... master` / `git diff master...HEAD` commands.
  All now say `main`.
- CLI interface: audit-crate, audit-file, improve-crate, and
  scan-project invoked the retired upstream form
  `big-code-analysis-cli -m -O json -p <path>` (silently no-opping
  behind `|| true`); now `bca metrics -O json <path>`.
- exit vs nexits: add-lang and scan-project referenced the nonexistent
  src/metrics/exit.rs and an exit_min accessor; audit-naming's
  canonical metric vocabulary gained nexits/tokens.
- Stability contract: AGENTS.md still described a published 1.x
  library with breaks reserved for 2.0 (2.0.1 shipped); reframed to
  the current major line / next major (3.0). Stale macro paths
  (src/macros.rs -> src/macros/, c_langs_macros/ ->
  src/c_langs_macros/) fixed here and in three skills.
- MCP deps: fix-issue, issue-plan, and batch-fix hard-required the
  unconfigured sequential-thinking server (issue-plan's guardrail made
  it non-negotiable) and fix-issue named a nonexistent
  serena:activate_project tool; all now degrade to inline reasoning
  and use serena:initial_instructions.
- Read-only contract: issue-triage created GitHub labels despite
  declaring itself read-only; it now detects and reports missing
  labels instead.
- Validation gates: improve-crate, cleanup-crate, and batch-fix ran
  only the raw cargo trio; the canonical `make pre-commit` now runs
  once on each integration branch (fast trio stays per-agent), in
  branch mode too. batch-fix agents gained the snapshot-anchoring
  and big-code-analysis-output submodule discipline they were never
  told about.
- scan-project: partition C falsely claimed language_c.rs /
  language_mozcpp.rs do not exist; c, mozcpp, objc, irules were in no
  partition; "encodes every lesson" overstated a checklist that maps
  to lessons <= 28 of 60. Partitions fixed, claims corrected.
- Smaller: CLAUDE.md skills table gained add-lang and batch-fix plus a
  note that the bca-check hook is opt-in; rust-optimize's D1 example
  no longer uses banned panic!, its MSRV matrix acknowledges the 1.94
  floor, dead allowed-tools entries dropped; four skills now cite
  .claude/rules/macro-comments.md at their macro-consolidation steps;
  fix-issue cites the test-via-revert rule and the real
  `## [Unreleased]` changelog convention; incomplete workspace-crate
  lists gained big-code-analysis-py / xtask / enums.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@dekobon dekobon merged commit c8b3f71 into main Jul 8, 2026
55 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant