Skip to content

Merge development into main: consolidated branches, history nav, severity enrichment#14

Open
stevologic wants to merge 8 commits into
mainfrom
development
Open

Merge development into main: consolidated branches, history nav, severity enrichment#14
stevologic wants to merge 8 commits into
mainfrom
development

Conversation

@stevologic

@stevologic stevologic commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Brings main level with development after full branch consolidation (all other branches verified merged or superseded and deleted).

What's included

  • OSV severity enrichment: advisories missing severity are enriched by resolving CVE/GHSA aliases against OSV, with per-ID caching and capped lookups (port of codex/add-cve-severity-lookup-via-alias-url, adapted to the current cache layer)
  • Browser history navigation: package, CVE, and repository views push history entries and a popstate handler re-drives the matching flow, so back/forward pivots between analyses; per-view document titles
  • Export builders extracted & tested: skipped-dependency queue JSON/CSV/Markdown-brief builders are pure functions with node:test coverage; fixes missing-license items mislabeled "Needs review" instead of "Missing SPDX"
  • Everything from PR Codex/auto enhancements #13: SPDX export, transitive CSV/SBOM export, skipped-dependency JSON export, GitHub repo deep links, audit brief export
  • Cohesion: legacy unlinked chat page removed, README documents the three UI modes/deep links/branch model, CONTRIBUTING points at development, CI runs UI tests and fails on gofmt violations, .gitattributes normalizes line endings

Verification

  • go build ./... && go vet ./... && go test ./... green
  • node --test "ui/**/*.test.mjs" green (3/3)
  • End-to-end in browser: package analysis (express, lodash), CVE lookup (CVE-2024-3094, CVE-2021-23337 incl. NVD fallback), repo import (expressjs/express incl. ?repo= deep link), back/forward across all three views, light/dark themes contrast-audited, mobile viewport overflow-free
  • MCP server smoke-tested over stdio: initialize, tools/list, tools/call against live API

🤖 Generated with Claude Code

stevologic and others added 8 commits July 1, 2026 13:24
* Refactor dependency explorer data flow and UI

* Refactor dependency explorer data flow

* Refactor dependency explorer data handling

* Add GraphViz and GitHub dependency export support

* code auto-enhancements

* Add copyable audit brief for GitHub dependency review

* Add GitHub repo deep links and audit brief export

* Surface unsupported GitHub SBOM dependencies

* Add skipped dependency JSON export

* Export transitive dependency data in CSV and SBOM

* Add SPDX export for repository imports
Move the skipped-dependency queue JSON, CSV, and Markdown brief export
logic out of the App component into pure builder functions exposed via
test hooks, and add node:test coverage. Fixes missing-license items
being classified "Needs review" instead of "Missing SPDX" in the brief.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Port of codex/add-cve-severity-lookup-via-alias-url, adapted to the
current cache layer: when an OSV advisory lacks severity data, resolve
its aliases (from the aliases field and CVE/GHSA-shaped reference URLs)
against api.osv.dev/v1/vulns and copy the first severity found. Alias
lookups are capped per vuln and cached individually; the query cache
key is bumped so previously cached unenriched results refresh.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Deep-link URLs (package, CVE, repository) now push history entries
instead of replacing in place, and a popstate listener re-drives the
matching analysis flow, so browser back/forward pivots between package,
advisory, and repository views. Clearing the form is also a navigable
step. Same-URL updates still replace to avoid duplicate entries.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Package, CVE, and repository views now set descriptive document titles
so browser history entries, tabs, and shared links are identifiable.
Add meta description and theme-color to index.html and bump the app.js
cache-buster.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
ui/chat.html was an early command-style lookup UI that nothing links
to. It duplicated a small subset of the main explorer and pulled
tsparticles and fonts from CDNs, unlike the self-contained main app.
History preserves it if ever needed.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
README gains a Web UI section covering the package, CVE, and repository
analysis modes, deep links, and history navigation, plus a note on OSV
severity alias enrichment. CONTRIBUTING points feature branches at
development and documents the test commands. CI now fails on gofmt
violations (previously gofmt -l never failed the build) and runs the
node:test UI suite. Add .gitattributes to normalize line endings.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@stevologic stevologic changed the title Codex/auto enhancements (#13) Merge development into main: consolidated branches, history nav, severity enrichment Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant