Align repo to standards: add community files + CI badge#19
Conversation
Bring the repo up to the same standard as the other published repos. Pure additions — no source, test, or CI-workflow changes. Verified locally: typecheck clean and the offline `npm test` gate passes 44/44 without an API key. - Community health files: CODE_OF_CONDUCT.md (Contributor Covenant 2.1) and SECURITY.md — the latter built around this repo's actual security invariant (the no-leak boundary in src/no-leak.ts: private prose can't reach the prompt, answers cite or refuse), plus API-key handling and prompt injection. - Issue templates: a standard bug report and a "boundary failure / gold case" form (the highest-signal report per CONTRIBUTING — answered-when-should-decline, leaked a private note, or claimed supported while citing hints), + config. A pull request template that encodes the contribution bar (npm test green without an API key; no special-casing the eval). - .editorconfig (2-space, matching the TS source) and .gitattributes (LF normalization; verified `git add --renormalize .` is churn-free). - README: Tests (CI) status badge alongside the existing DOI / License / Release / DeepWiki badges. - CONTRIBUTING: link the Code of Conduct and Security policy. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01KM3jW1KEuPYLcjxS9yrwE1
Automated Checks (advisory, non-blocking)✅ All checks passed.
Standards ComplianceThe shown changes are docs/config only; they don’t touch Also, the main issue from my prior review looks fixed:
Combined with the explicit “private-note leak → SummaryThis PR is mostly repo-health work: the shown diff adds public issue templates plus editor/VCS normalization config, with the rest apparently in community/docs files outside the excerpt. No runtime behavior changes are visible here; the main review surface is whether the public reporting flow safely separates gold-case regressions from private security disclosures. What to pay attention to
Things I noticedNo red flags in the shown diff. The one issue I called out previously—the templates nudging users toward verbatim public queries—appears resolved. Good patterns
Suggested improvements
Questions for the author
Surmado Code Review (v1.2-mt) is an automated review, designed to work alongside human judgment. Want to change your STANDARDS.md or YML? Edit it directly, or tune it with our AI agent Scout. Comment |
…issues The code-review bot caught a real contradiction (red flag) on PR #19: the boundary/gold-case template listed "leaked a private note" as a public report mode and asked for the relevant note/document — but a private-note leak IS the no-leak invariant failing, which SECURITY.md (correctly) treats as a private security disclosure. The public form invited posting exactly the private content the engine exists to protect. - Drop the "leaked / restated a private note" option from the public gold-case template; add a prominent caution that real leaks go to SECURITY.md. - The public form now covers only non-sensitive grounding/decline regressions (answered-when-should-decline, ungrounded citation, refused-with-evidence), with a redaction note on the corpus field. - bug_report.yml routing language updated to match: leaks (and keys) -> SECURITY.md. Now the bug template, the gold template, and SECURITY.md agree on the split. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01KM3jW1KEuPYLcjxS9yrwE1
Closing follow-up to the leak-routing fix. The public gold-case form asked for "the exact query"; for a private corpus that could still surface sensitive prompt text. Now it asks for the exact query only when non-sensitive, otherwise paraphrase/redact and say so. Same redaction hint added to the bug-report repro steps. Completes the redaction guidance the bot flagged on PR #19. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01KM3jW1KEuPYLcjxS9yrwE1
What & why
Brings this repo up to the same standard as the other published
lukefwaltonrepos. Pure additions — no source, test, or CI-workflow changes. Verified locally:typecheckis clean and the offlinenpm testgate passes 44/44 without an API key.CODE_OF_CONDUCT.md(Contributor Covenant 2.1) andSECURITY.md. The security policy is built around this repo's actual invariant — the no-leak boundary (src/no-leak.ts: private prose can't reach the prompt; answers cite or refuse) — plus API-key handling and prompt injection, rather than boilerplate.CONTRIBUTING.md(answered-when-it-should-decline, leaked a private note, or claimedsupportedwhile citing only hints) — plusconfig.yml. And a pull request template that encodes the contribution bar (npm testgreen without an API key; no special-casing the eval)..editorconfig(2-space, matching the TS source) and.gitattributes(LF normalization;git add --renormalize .verified churn-free).Checklist
typecheck+ offlinenpm test(44/44) pass locally without an API key.editorconfigindent matches the existing 2-space source🤖 Generated with Claude Code
Generated by Claude Code