Skip to content

Align repo to standards: add community files + CI badge#19

Merged
lukefwalton merged 3 commits into
mainfrom
claude/repo-standards-alignment-loh1ol
Jun 30, 2026
Merged

Align repo to standards: add community files + CI badge#19
lukefwalton merged 3 commits into
mainfrom
claude/repo-standards-alignment-loh1ol

Conversation

@lukefwalton

Copy link
Copy Markdown
Owner

What & why

Brings this repo up to the same standard as the other published lukefwalton repos. Pure additions — no source, test, or CI-workflow changes. Verified locally: typecheck is clean and the offline npm test gate passes 44/44 without an API key.

  • Community health files: CODE_OF_CONDUCT.md (Contributor Covenant 2.1) and SECURITY.md. The security policy is built around this repo's actual invariant — the no-leak boundary (src/no-leak.ts: private prose can't reach the prompt; answers cite or refuse) — plus API-key handling and prompt injection, rather than boilerplate.
  • Issue templates: a standard bug report and a "boundary failure / gold case" form — the highest-signal report per CONTRIBUTING.md (answered-when-it-should-decline, leaked a private note, or claimed supported while citing only hints) — plus config.yml. And a pull request template that encodes the contribution bar (npm test green without an API key; no special-casing the eval).
  • Editor & VCS config: .editorconfig (2-space, matching the TS source) and .gitattributes (LF normalization; git add --renormalize . verified churn-free).
  • README: a Tests (CI) status badge alongside the existing DOI / License / Release / DeepWiki badges.
  • CONTRIBUTING: links the Code of Conduct and Security policy.

Checklist

  • Community health files added (SECURITY.md tailored to the no-leak boundary)
  • CI status badge added to the README
  • typecheck + offline npm test (44/44) pass locally without an API key
  • .editorconfig indent matches the existing 2-space source
  • CI passes (waiting on this run)

🤖 Generated with Claude Code


Generated by Claude Code

Bring the repo up to the same standard as the other published repos. Pure
additions — no source, test, or CI-workflow changes. Verified locally: typecheck
clean and the offline `npm test` gate passes 44/44 without an API key.

- Community health files: CODE_OF_CONDUCT.md (Contributor Covenant 2.1) and
  SECURITY.md — the latter built around this repo's actual security invariant
  (the no-leak boundary in src/no-leak.ts: private prose can't reach the prompt,
  answers cite or refuse), plus API-key handling and prompt injection.
- Issue templates: a standard bug report and a "boundary failure / gold case"
  form (the highest-signal report per CONTRIBUTING — answered-when-should-decline,
  leaked a private note, or claimed supported while citing hints), + config.
  A pull request template that encodes the contribution bar (npm test green
  without an API key; no special-casing the eval).
- .editorconfig (2-space, matching the TS source) and .gitattributes (LF
  normalization; verified `git add --renormalize .` is churn-free).
- README: Tests (CI) status badge alongside the existing DOI / License /
  Release / DeepWiki badges.
- CONTRIBUTING: link the Code of Conduct and Security policy.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01KM3jW1KEuPYLcjxS9yrwE1
@surmado-code-review

surmado-code-review Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Automated Checks (advisory, non-blocking)

✅ All checks passed.


⚠️ Partial review: The diff excerpt only shows the repo-metadata and issue-template files, so feedback below focuses on those paths and the public reporting flow.

Standards Compliance

The shown changes are docs/config only; they don’t touch src/no-leak.ts, retrieval/grounding, prompts, or eval logic, so I don’t see a visible violation of the repo’s boundary/citation standards in the diff shown.

Also, the main issue from my prior review looks fixed:

  • .github/ISSUE_TEMPLATE/boundary_or_gold.yml
    • The exact query — but only if it's non-sensitive. If it involves private text, paraphrase or redact it...
  • .github/ISSUE_TEMPLATE/bug_report.yml
    • If a repro query is sensitive, paraphrase or redact it — issues are public.

Combined with the explicit “private-note leak → SECURITY.md” routing, that now lines up much better with the repo’s no-leak/security bar.

Summary

This PR is mostly repo-health work: the shown diff adds public issue templates plus editor/VCS normalization config, with the rest apparently in community/docs files outside the excerpt. No runtime behavior changes are visible here; the main review surface is whether the public reporting flow safely separates gold-case regressions from private security disclosures.
Reviewer: most of the judgment is in the issue-template wording and link targets; the rest looks like low-risk repo metadata.

What to pay attention to

  • .github/ISSUE_TEMPLATE/boundary_or_gold.yml + bug_report.yml: these are the only shown files with real disclosure risk. The revised redaction/security wording looks good; I’d just verify it matches the unseen SECURITY.md wording so the public/private split is consistent end-to-end.
  • .github/ISSUE_TEMPLATE/config.yml: with blank_issues_enabled: false, the contact links become the fallback path for reporters. Worth a quick click-through check that those targets are the intended canonical docs.

Things I noticed

No red flags in the shown diff. The one issue I called out previously—the templates nudging users toward verbatim public queries—appears resolved.

Good patterns

  • Nice fix on the prior security concern: both public templates now explicitly route private-note leaks to SECURITY.md instead of keeping them in public issues.
  • The boundary/gold template preserves the repo’s eval standard by stating the fix belongs in the corpus, scoring, or prompt—never as a one-off question special case.

Suggested improvements

  1. After merge, click-test the new badge and template contact links from the rendered GitHub UI, since broken links are the main failure mode left in a docs-only PR like this.

Questions for the author

  • [UNVERIFIED] Is the .github/STANDARDS.md link in .github/ISSUE_TEMPLATE/config.yml intentionally the public entry point for the PR rubric, and does that file already exist on main? With blank issues disabled, that link becomes pretty important.

Surmado Code Review (v1.2-mt) is an automated review, designed to work alongside human judgment.

Want to change your STANDARDS.md or YML? Edit it directly, or tune it with our AI agent Scout.

Comment /rerun-review on this PR to refresh the review — costs 1 additional PR credit.

claude added 2 commits June 30, 2026 11:19
…issues

The code-review bot caught a real contradiction (red flag) on PR #19: the
boundary/gold-case template listed "leaked a private note" as a public report
mode and asked for the relevant note/document — but a private-note leak IS the
no-leak invariant failing, which SECURITY.md (correctly) treats as a private
security disclosure. The public form invited posting exactly the private content
the engine exists to protect.

- Drop the "leaked / restated a private note" option from the public gold-case
  template; add a prominent caution that real leaks go to SECURITY.md.
- The public form now covers only non-sensitive grounding/decline regressions
  (answered-when-should-decline, ungrounded citation, refused-with-evidence),
  with a redaction note on the corpus field.
- bug_report.yml routing language updated to match: leaks (and keys) -> SECURITY.md.

Now the bug template, the gold template, and SECURITY.md agree on the split.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01KM3jW1KEuPYLcjxS9yrwE1
Closing follow-up to the leak-routing fix. The public gold-case form asked for
"the exact query"; for a private corpus that could still surface sensitive
prompt text. Now it asks for the exact query only when non-sensitive, otherwise
paraphrase/redact and say so. Same redaction hint added to the bug-report repro
steps. Completes the redaction guidance the bot flagged on PR #19.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01KM3jW1KEuPYLcjxS9yrwE1
@lukefwalton lukefwalton merged commit d03883f into main Jun 30, 2026
3 checks passed
@lukefwalton lukefwalton deleted the claude/repo-standards-alignment-loh1ol branch June 30, 2026 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants