chore(rig): roll out rig + slim agent docs#6
Conversation
Scaffold rig.yaml and add rig's additive security/quality CI gates (codeql self-gate, dependency-review, leftover-grep, review-threads, secret-scan) plus their ci/ companion scripts. Existing ci.yml (ruff/pytest/mypy) is untouched — rig's workflows are separate files, no collision. Global skills/hooks already installed machine-wide. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Remove generic engineering rules from AGENTS.md that the rig-installed agent-tools skills now self-advertise (atomic-commits, ai-review-before-commit, pre-commit-gate, push-regularly, no-type-escape-hatches). Collapse the "Commit discipline" section to only the 3d-cli-specific overrides: direct-to-main workflow, the project's review model roster, and the Co-Authored-By trailer. Drop the standalone "Zero warnings" bullet (now covered by pre-commit-gate + no-type-escape-hatches); keep the project's exact lint command folded into the Typed bullet. Conservative pass: all 3d-cli specifics kept (bin/3d dispatcher contract, self-registering command modules, pyrun/venv tiers, OpenSCAD/mesh/render pipeline, 3d test gate, mypy.ini bindings, bootstrap marker, help/docs sync paths, fit-camera proof requirements, trusted tg policy). No survivors reworded; CLAUDE.md symlink and internal refs intact. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ead791ee71
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| on: | ||
| pull_request_target: | ||
| types: [opened, synchronize, reopened, ready_for_review] |
There was a problem hiding this comment.
Because this workflow is intended to be the merge-blocking unresolved-thread check, limiting it to these pull_request_target activity types leaves a stale green status when a reviewer later submits an inline review or review comment; GitHub documents those as separate pull_request_review and pull_request_review_comment workflow events. In that common sequence, the unresolved thread is created after this check has passed, so branch protection can still see the old green result until another push or manual run.
Useful? React with 👍 / 👎.
| build-mode: none | ||
| - language: actions | ||
| build-mode: none | ||
| # - language: python |
There was a problem hiding this comment.
This repo's shipped CLI is overwhelmingly Python (bin/3d plus 233 tracked .py files under lib//tests), but the CodeQL matrix analyzes only JavaScript and workflow files while Python is commented out. Since GitHub lists Python as a supported CodeQL language, this required check can pass without scanning the main code that users run; add a python/build-mode: none matrix entry so the self-gate covers the actual project.
Useful? React with 👍 / 👎.
| # | ||
| # GITLEAKS_LICENSE is only required for gitleaks-action in GitHub *organizations* | ||
| # (not personal repos). Set it as a repo/org secret if your account needs it: | ||
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} |
There was a problem hiding this comment.
The pinned gitleaks/gitleaks-action documented usage passes GITHUB_TOKEN, and its docs state the action uses that token for GitHub API work such as PR comments; this env block only supplies the license. On pull_request runs the action can fail or lose PR-specific reporting before it provides the intended secret-scan result, so add GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} here and grant the needed PR permission if comments remain enabled.
Useful? React with 👍 / 👎.
Pull in the fixed agent-tools CI gate templates so the new gates stop hard-failing on a fresh private repo: - dependency-review: preflight probes the Dependency Graph and skips cleanly (with a notice + enable link) when off, instead of erroring with "Dependency review is not supported on this repository". Blocks normally once enabled. - secret-scan (gitleaks): pass GITHUB_TOKEN, now required to scan PRs. - codeql self-gate: skip a matrix language cleanly when the repo has no source for it. Suppress the two by-design actions findings in leftover-grep.yml (data-only PR-head fetch) with justified markers. Also fix the two real CodeQL actions findings in this repo's own ci.yml so the self-gate goes green legitimately (not by suppression): - add permissions: contents: read (least-privilege GITHUB_TOKEN). - pin astral-sh/setup-uv@v5 to its commit SHA (unpinned 3rd-party action). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ove a finding Same fix as the template: widen is_source_suppressed to scan the contiguous comment block above a flagged line so the justified # codeql[...] markers in leftover-grep.yml actually suppress the by-design actions findings. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 participant
What
Roll out
rigto this repo and slim AGENTS.md/CLAUDE.md per CTO #3686.1. Apply rig (
chore(rig): apply rig.yaml)rig init --yesscaffoldedrig.yaml(detected type: CLI) and applied the per-repo committed artifacts. Global skills/hooks were already installed machine-wide (rig reported them identical, left as-is). Added inside the repo:rig.yaml— declarative source of truth.github/workflows/:codeql.yml(self-gate),dependency-review.yml,leftover-grep.yml,review-threads.yml,secret-scan.ymlci/companions:dependency-review/dep-audit.sh,leftover-grep/leftover-grep.sh,review-threads/review-threads.sh,secret-scan/secret-scan.shThese are additive — the existing
ci.yml(ruff/pytest/mypy) is a separate file and is untouched. No filename collisions..claude/settings.json(auto-mode) is written but gitignored, so it is not committed.No runnable code touched (no
.py/bin/lib/tests/pyproject/mypy.ini) — the3d testgate is unchanged fromorigin/main.2. Slim AGENTS.md (
docs(agents): drop now-self-advertised generic rules)Conservative pass — removed only the generic engineering rules now self-advertised by the rig-installed agent-tools skills:
mainworkflow, the project'sreviewmodel roster, the Co-Authored-By trailer). The generic atomic-commits / AI-review-before-commit / pre-commit-gate / push-regularly boilerplate + the multi-paragraph review-cli fallback recipe are covered by theatomic-commits,ai-review-before-commit,pre-commit-gate,push-regularlyskills.pre-commit-gate+no-type-escape-hatches); folded the project's exact lint command into the Typed bullet so no project info is lost.Kept every 3d-cli specific:
bin/3ddispatcher contract, self-registering command modules,cli.pyrun/venv tiers, OpenSCAD/mesh/render pipeline, the3d testgate,mypy.iniper-module bindings, the bootstrap marker, help/docs sync paths, the full fit-camera/reference-matching proof requirements, and the trustedtgpolicy. No surviving prose reworded. CLAUDE.md symlink and internal refs intact.AGENTS.md: 306 → 257 lines (−49; 16 insertions / 65 deletions).
Do not merge
Review only — leaving merge decision to the owner.
🤖 Generated with Claude Code