Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
f86ae20
feat: add image generation metadata re-stamp script
BigSimmo Jul 8, 2026
bac1752
chore: reconcile ingestion RPC execute privileges, schema.sql and dri…
BigSimmo Jul 9, 2026
9216187
ci: add db-reset-verify and dependency-review workflows
BigSimmo Jul 9, 2026
83b437e
ci: remove dependency-review workflow because repository is private w…
BigSimmo Jul 9, 2026
1eee7d8
Merge origin/main into claude/llm-pipeline-review
Copilot Jul 9, 2026
50adfd5
Merge remote-tracking branch 'origin/claude/llm-pipeline-review' into…
Copilot Jul 9, 2026
6b7e581
📝 CodeRabbit Chat: Simplify code implementation (#434)
coderabbitai[bot] Jul 9, 2026
7efedc2
fix(db): rename duplicate migration version 20260708160000 to unique …
BigSimmo Jul 9, 2026
24314db
fix: run prettier on 19 files to fix CI format:check failure (#436)
Copilot Jul 9, 2026
def4753
fix: address PR 433 review comments
cursoragent Jul 9, 2026
255ca67
fix: address follow-up PR 433 review comments
cursoragent Jul 9, 2026
e811cc1
fix: address PR 433 review blockers
BigSimmo Jul 9, 2026
553eac9
fix: address PR 433 review comments on image re-stamp and eval forcing
cursoragent Jul 9, 2026
d831252
Merge origin/main into claude/llm-pipeline-review
Copilot Jul 9, 2026
7449ebf
Merge remote-tracking branch 'origin/claude/llm-pipeline-review' into…
BigSimmo Jul 9, 2026
a76fc39
Merge remote-tracking branch 'origin/claude/llm-pipeline-review' into…
BigSimmo Jul 9, 2026
6a90516
fix: restore neutralized 160000 migration for Supabase Preview parity
BigSimmo Jul 9, 2026
e1b5407
ci: keep supabase cache save non-blocking
BigSimmo Jul 9, 2026
6c06307
Merge remote-tracking branch 'origin/claude/llm-pipeline-review' into…
BigSimmo Jul 9, 2026
93c70e3
ci: run migration verification before docker image cache save
Copilot Jul 9, 2026
c424845
fix: address registry corpus review comments
BigSimmo Jul 9, 2026
72b5b17
docs: clarify required PR check setup
BigSimmo Jul 9, 2026
6721b0c
Merge remote-tracking branch 'origin/main' into codex/pr-required-che…
Copilot Jul 9, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ env:

jobs:
# Fast deterministic merge gate: static checks, unit tests, and build.
# Intended as a required status check on main together with ui-smoke.
# Intended as a required status check on main together with ui-smoke,
# Gitleaks, and one migration replay gate.
verify:
runs-on: ubuntu-latest
timeout-minutes: 25
Expand Down Expand Up @@ -137,9 +138,10 @@ jobs:
playwright-report/
if-no-files-found: ignore

# Database migration replay in parallel with verify and ui-smoke, so we verify
# that our schema and migration chain can rebuild cleanly from scratch on
# every PR.
# Database migration replay in parallel with verify and ui-smoke. This is the
# repo-owned replay gate; if the external Supabase Preview check is already
# required and reliable, keep this advisory or path-filtered rather than
# requiring both replay gates on every PR.
db-reset-verify:
runs-on: ubuntu-latest
timeout-minutes: 15
Expand Down
9 changes: 7 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -183,8 +183,13 @@ npm run verify:release # check:runtime + lint + typecheck + test + build + test:
```

CI runs `format:check` in the `verify` job alongside lint, typecheck,
test:coverage, build, and edge-function typecheck. PRs also run the Chromium
`ui-smoke` job in parallel.
test:coverage, build, dependency audit, production-readiness CI mode, and
edge-function typecheck. PRs also run Chromium `ui-smoke` and the repo-owned
Supabase `db-reset-verify` job in parallel. The external `Supabase Preview`
check, when enabled, is the branch-database migration replay gate. Docker image
builds, full browser matrix, live drift, and live eval canary checks are
path-filtered, scheduled, or manual rather than normal required checks for every
source-only PR.

```bash
npm run dev # Next.js UI/API on this project's stable localhost port
Expand Down
10 changes: 5 additions & 5 deletions docs/process-hardening.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ This document turns the current process review into phased, durable repo practic
- `npm run verify:cheap` is the default broad local gate for source/config/test changes: `check:runtime`, `sitemap:check`, lint, typecheck, and unit tests.
- `npm run verify:ui` is the default UI gate: `check:runtime` plus Chromium Playwright smoke, stress, and accessibility media checks (`test:e2e:chromium`).
- `npm run verify:release` is the release-confidence gate: `check:runtime`, lint, typecheck, unit tests, build, full Playwright browser matrix, `check:production-readiness`, `governance:release`, and `eval:quality:release` (the last step needs live Supabase and OpenAI keys).
- CI runs two parallel PR jobs: `verify` (runtime alignment, edge-function typecheck, CI-safe production readiness, `format:check`, lint, typecheck, unit tests with coverage, build) and `ui-smoke` (Chromium Playwright against its own dev server). A gated `release-browser-matrix` job runs the full Playwright browser set on `main`, `release/*`, manual dispatch, and the weekly schedule.
- CI runs three parallel PR jobs in the `CI` workflow: `verify` (runtime alignment, dependency vulnerability audit, edge-function typecheck, CI-safe production readiness, `format:check`, lint, typecheck, unit tests with coverage, build), `ui-smoke` (Chromium Playwright against its own dev server), and `db-reset-verify` (Supabase local start plus `supabase db reset` migration replay). The external `Supabase Preview` check also replays the migration chain on branch databases when enabled. A gated `release-browser-matrix` job runs the full Playwright browser set on `main`, `release/*`, manual dispatch, and the weekly schedule.
- `tests/ui-accessibility.spec.ts` covers reduced-motion and forced-colors dashboard usability so those modes are no longer only reviewed by inspection.
- `tests/ui-tools.spec.ts` covers the Applications dashboard mode at mobile and desktop sizes, including the `/applications` compatibility redirect.
- `AGENTS.md` now points future agents to these gates and to this document.
Expand Down Expand Up @@ -130,10 +130,10 @@ passes `p_worker_id`. Ordered apply steps, R17 manual `CONCURRENTLY` index, and

## PR merge gate: tiered CI + required checks (2026-07-02)

- CI is now two parallel PR jobs instead of one serial 6-7 minute job: `verify` (runtime alignment, edge typecheck, CI-safe production readiness, lint, typecheck, unit tests with coverage gate, build — ~3 min) and `ui-smoke` (Chromium Playwright smoke against its own dev server — ~4.5 min). Wall-clock PR feedback drops to the slower of the two, and a flaky smoke rerun no longer repeats lint/typecheck/tests/build.
- The deployment boot smoke and full browser matrix remain gated to `main`, `release/*`, manual dispatch, and the weekly schedule — they are deliberately not PR gates.
- **Required-check debt: RESOLVED 2026-07-02.** Branch protection is now applied on `main` requiring `verify`, `ui-smoke`, and `Gitleaks`, with "require branches up to date" left OFF (strict up-to-dateness would force constant rebases across the many concurrent agent branches), `enforce_admins` OFF (admin bypass retained as an emergency hatch), and no required PR-review count (a solo+agents flow has no second human approver). This closes the gap that let #131/#133 merge red. Consequence now in effect: **direct pushes to `main` are blocked for non-bypass users; normal work must land via PR.** Repository admins can still use the retained bypass only as an emergency hatch. To adjust, edit the rule under repo Settings → Branches or via `gh api -X PUT repos/BigSimmo/Database/branches/main/protection`.
- If `ui-smoke` proves flaky as a required check, demote it to advisory (remove from required contexts) rather than tolerating red merges — the deterministic `verify` gate stays required regardless.
- CI is now three parallel PR jobs instead of one serial 6-7 minute job: `verify` (runtime alignment, production dependency audit, edge typecheck, CI-safe production readiness, format, lint, typecheck, unit tests with coverage gate, build), `ui-smoke` (Chromium Playwright smoke against its own dev server), and `db-reset-verify` (local Supabase migration replay). Wall-clock PR feedback drops to the slowest independent gate, and a flaky smoke rerun no longer repeats lint/typecheck/tests/build.
- The deployment boot smoke, full browser matrix, live drift check, live eval canary, and Docker image builds remain gated, scheduled, manual, or path-filtered — they are deliberately not normal required checks for every source-only PR.
- **Required-check debt: RESOLVED 2026-07-02; updated 2026-07-09.** Branch protection for `main` should require the exact active check contexts for `CI / verify`, `CI / ui-smoke`, `Secret Scan / Gitleaks`, and one migration replay gate. Prefer the external `Supabase Preview` check when it is enabled and reliable; otherwise require `CI / db-reset-verify`. Requiring both replay gates is conservative but usually redundant. Keep `SAST / Semgrep` required only if the repository owner accepts its external-rule/network dependency as part of the normal merge gate. Do not require path-filtered or scheduled/manual contexts such as `Docker image build / app-image`, `Docker image build / worker-image`, `CI / release-browser-matrix`, `Eval Canary`, or `Live drift check`; they can be absent on ordinary PRs and would leave branches stuck at "Expected - Waiting for status to be reported." Keep "require branches up to date" OFF unless the branch flow changes, keep `enforce_admins` OFF only as an emergency bypass decision, and avoid requiring duplicate legacy contexts named only `verify` or `ui-smoke` when GitHub already reports the active `CI / ...` contexts.
- If `ui-smoke` proves flaky as a required check, demote it to advisory (remove from required contexts) rather than tolerating red merges — the deterministic `verify` gate stays required regardless. If `db-reset-verify` becomes the bottleneck, path-filter it to Supabase migrations/schema/config and database-access code before demoting it entirely.

## CSS cascade layering (2026-07-02)

Expand Down
Loading