Skip to content

Commit 7bfac4d

Browse files
authored
test: refresh shell title release gate
test: refresh shell title release gate
2 parents 936daca + 4b67d7b commit 7bfac4d

16 files changed

Lines changed: 4127 additions & 6454 deletions

.github/workflows/ci.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -184,6 +184,11 @@ jobs:
184184
steps:
185185
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
186186

187+
- name: Setup pnpm
188+
uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c
189+
with:
190+
version: 10.28.1
191+
187192
- name: Setup Python
188193
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
189194
with:

.github/workflows/quality-gates.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,9 @@ jobs:
5050

5151
- name: Verify commands
5252
env:
53-
VERIFY_SKIP_REGEX: ${{ github.event_name == 'push' && '^pnpm git:guard:all$' || '' }}
53+
# The dedicated perf-build job owns build timing. Running it again
54+
# after coverage/UI gates produces noisy runner-load failures.
55+
VERIFY_SKIP_REGEX: ${{ github.event_name == 'push' && '^(pnpm git:guard:all|pnpm perf:build|node scripts/perf/compare-metric.mjs .perf-baselines/build-time.json .*)$' || '^(pnpm perf:build|node scripts/perf/compare-metric.mjs .perf-baselines/build-time.json .*)$' }}
5456
run: bash .codex/scripts/run_verify_commands.sh
5557

5658
- name: Generate coverage report
Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
# ADR 0013 - Release-gate dependency security refresh
2+
3+
## Status
4+
5+
Accepted
6+
7+
## Context
8+
9+
The release gate surfaced fresh dependency advisories after the shell-title
10+
test cleanup was ready. The failing checks covered three dependency surfaces:
11+
the JavaScript lockfile, Rust DNS/compression dependencies, and the Python
12+
search API embedding stack.
13+
14+
Leaving the advisories open would keep the release branch red. Treating them
15+
as unrelated would also make the release gate less useful, because the branch
16+
was already exercising the dependency-health workflows.
17+
18+
## Decision
19+
20+
Keep the remediation in the release-gate cleanup branch and make the smallest
21+
compatible updates needed for the gate to pass:
22+
23+
- Regenerate the pnpm lockfile with the same pnpm version used by CI.
24+
- Upgrade `hickory-resolver` to the fixed 0.26 line and adapt the DNS resolver
25+
wrapper to the renamed Tokio resolver API.
26+
- Update the vulnerable `lz4_flex` transitive dependency through `Cargo.lock`.
27+
- Keep temporary Rust audit waivers only for upstream warning-class transitives
28+
that do not currently have direct application-level fixes.
29+
- Upgrade the Python embedding stack to compatible current versions of
30+
`huggingface-hub`, `sentence-transformers`, and `transformers`.
31+
32+
## Consequences
33+
34+
The dependency gate becomes current again without changing intended product
35+
behavior. The DNS wrapper now follows the newer Hickory resolver construction
36+
API, and the Python search API will resolve a newer embedding stack in CI.
37+
38+
The remaining Rust audit waivers still need periodic review through the
39+
existing dependency-advisory process. They are documented in the audit script
40+
instead of being hidden in CI configuration.
41+
42+
## Alternatives Considered
43+
44+
Split the dependency work into separate follow-up PRs. Rejected because the
45+
current PR was already blocked by release-gate security checks, and keeping
46+
the gate red would leave the branch unmergeable.
47+
48+
Disable or weaken the failing checks. Rejected because the checks caught real
49+
dependency drift and should remain authoritative.

openapi/openapi.generated.json

Lines changed: 1 addition & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
"info": {
44
"title": "AssistSupport Search API",
55
"version": "1.2.0",
6-
"description": "Local loopback search sidecar used by AssistSupport for hybrid KB search, feedback capture, readiness checks, and operational stats."
6+
"description": "Local loopback search sidecar used by AssistSupport for adaptive hybrid KB search, feedback capture, readiness checks, and Knowledge diagnostics stats."
77
},
88
"servers": [
99
{
@@ -142,16 +142,6 @@
142142
"include_scores": {
143143
"type": "boolean",
144144
"default": false
145-
},
146-
"fusion_strategy": {
147-
"type": "string",
148-
"enum": [
149-
"adaptive",
150-
"rrf",
151-
"weighted",
152-
"rerank"
153-
],
154-
"default": "adaptive"
155145
}
156146
}
157147
},
@@ -222,7 +212,6 @@
222212
"latency_ms",
223213
"embedding_time_ms",
224214
"search_time_ms",
225-
"rerank_time_ms",
226215
"result_count",
227216
"timestamp"
228217
],
@@ -236,9 +225,6 @@
236225
"search_time_ms": {
237226
"type": "number"
238227
},
239-
"rerank_time_ms": {
240-
"type": "number"
241-
},
242228
"result_count": {
243229
"type": "integer"
244230
},

package.json

Lines changed: 23 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -95,46 +95,46 @@
9595
"dependencies": {
9696
"@fontsource-variable/ibm-plex-sans": "^5.2.8",
9797
"@fontsource-variable/jetbrains-mono": "^5.2.8",
98-
"@tauri-apps/api": "^2",
99-
"@tauri-apps/plugin-dialog": "^2.6.0",
100-
"@tauri-apps/plugin-opener": "^2",
101-
"react": "^19.1.0",
102-
"react-dom": "^19.1.0"
98+
"@tauri-apps/api": "^2.11.0",
99+
"@tauri-apps/plugin-dialog": "^2.7.1",
100+
"@tauri-apps/plugin-opener": "^2.5.4",
101+
"react": "^19.2.6",
102+
"react-dom": "^19.2.6"
103103
},
104104
"devDependencies": {
105-
"@axe-core/playwright": "^4.11.0",
105+
"@axe-core/playwright": "^4.11.3",
106106
"@commitlint/cli": "^19.8.1",
107107
"@commitlint/config-conventional": "^19.8.1",
108108
"@commitlint/cz-commitlint": "^19.8.1",
109-
"@eslint/js": "^9.39.1",
109+
"@eslint/js": "^9.39.4",
110110
"@lhci/cli": "^0.15.1",
111-
"@playwright/test": "^1.56.1",
112-
"@tauri-apps/cli": "^2",
113-
"@testing-library/react": "^16.3.0",
111+
"@playwright/test": "^1.59.1",
112+
"@tauri-apps/cli": "^2.11.1",
113+
"@testing-library/react": "^16.3.2",
114114
"@testing-library/user-event": "^14.6.1",
115-
"@types/react": "^19.1.8",
116-
"@types/react-dom": "^19.1.6",
117-
"@typescript-eslint/eslint-plugin": "^8.46.1",
118-
"@typescript-eslint/parser": "^8.46.1",
115+
"@types/react": "^19.2.14",
116+
"@types/react-dom": "^19.2.3",
117+
"@typescript-eslint/eslint-plugin": "^8.59.2",
118+
"@typescript-eslint/parser": "^8.59.2",
119119
"@vitejs/plugin-react": "^5.2.0",
120120
"@vitest/coverage-v8": "^3.2.4",
121121
"commitizen": "^4.3.1",
122-
"eslint": "^9.39.1",
122+
"eslint": "^9.39.4",
123123
"eslint-plugin-react-hooks": "^5.2.0",
124-
"globals": "^16.4.0",
124+
"globals": "^16.5.0",
125125
"husky": "^9.1.7",
126-
"jsdom": "^27.1.0",
126+
"jsdom": "^27.4.0",
127127
"lighthouse": "^12.8.2",
128128
"lint-staged": "^15.5.2",
129-
"prettier": "^3.6.2",
130-
"prettier-plugin-tailwindcss": "^0.7.1",
131-
"stylelint": "^16.25.0",
129+
"prettier": "^3.8.3",
130+
"prettier-plugin-tailwindcss": "^0.7.4",
131+
"stylelint": "^16.26.1",
132132
"stylelint-config-standard": "^39.0.1",
133133
"typescript": "~5.8.3",
134-
"typescript-eslint": "^8.46.1",
135-
"vite": "^7.3.2",
134+
"typescript-eslint": "^8.59.2",
135+
"vite": "^7.3.3",
136136
"vitest": "^3.2.4",
137-
"web-vitals": "^5.1.0"
137+
"web-vitals": "^5.2.0"
138138
},
139139
"pnpm": {
140140
"overrides": {

0 commit comments

Comments
 (0)