intent(renovate): defer @clack/prompts v1 — the root major deps update (PR #1607) is fully red because v1 changed the text() validate callback arg to `string | undefined`, breaking the tsc build at src/cli/actions/initAction.ts:97 (TS18048); since build runs via the prepare hook, every npm ci fails and all CI jobs cascade-fail
decision(renovate): ignore only @clack/prompts, leaving typescript 6.0 and @secretlint/* 13 in the major group so CI can still evaluate them once clack is out of the batch
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
intent(website): re-enable auto-pack on `?repo=` URLs now that the Cloudflare bot defense (BFM + invisible Turnstile) reliably blocks crawler-driven mass requests
constraint(auto-pack): keep the `!isBot()` guard as defense-in-depth — auto-execution was originally disabled because crawlers (e.g. Applebot) executing JS on permalink URLs caused mass pack requests
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
intent(release): document the 1.14.1 security patch (GHSA-9mm9 argument injection, GHSA-hwpp MCP secret-scan bypass) alongside the token-count cache and Dart parsing improvements
decision(release-notes): lead with Security since updating is recommended for all users; omit website/deps/internal PRs per release-note guidelines
decision(nix): list nixpkgs install under Improvements (user-facing) and the dev flake under Development (contributor-facing), without pinning a nixpkgs version since it lags releases
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
intent(mcp-attach): fix GHSA-hwpp-h97w-2h3j. attach_packed_output registered an arbitrary local file path under an outputId, and read_repomix_output / grep_repomix_output then returned its content without the secret scan that file_system_read_file enforces, letting a caller bypass that boundary to read local .json/.md/.txt/.xml files.
decision(serve-time-scan): run the secret scan when content is served (in read_repomix_output and grep_repomix_output), not only at attach time, so the boundary holds even if the file changes after attach (TOCTOU / symlink swap) and always applies to whatever is actually returned.
decision(registry-flag): tag attach-sourced registry entries with requiresSecretScan so only untrusted attach outputs are scanned on read, leaving the trusted pack_codebase / pack_remote_repository flow (already secret-filtered during packing) unaffected.
rejected(attach-time-validity): rejecting inputs with zero extractable files is unsound. Legitimate outputs can pack zero files (empty repo, everything filtered, output.files=false) and a crafted JSON with a files key passes the check anyway, so it was dropped in favor of the secret-scan boundary that matches file_system_read_file.
test(mcp): cover serve-time scanning in read and grep (blocked when the scan flags content, skipped for non-attach outputs) and that attach marks its outputs for serve-time scanning.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
improve(skill-description): Scope the known-path and single-symbol "DO NOT trigger" exclusions to the local project, since remote repos require packing before Read/grep can work (gemini-code-assist review on #1601)
intent(skill-description): Make the explorer skill activate precisely, modeled on GoogleChrome/modern-web-guidance's description style
decision(description-format): Switch to block scalar with categorized "Trigger for" examples plus an explicit "DO NOT trigger for" list
constraint(activation): Exclude single-file edits, known-path greps, and git/test/build ops so the skill stops over-triggering on targeted work
decision(architecture): split into a read-only find job and a separate no-AI comment job, mirroring the triage workflow, so the step that reads issue content holds no write token and no shell access.
decision(find-tools): disable Bash/Edit/Write/MultiEdit/NotebookEdit/WebFetch/WebSearch/Task and return related issue numbers via --json-schema structured output. Pass the untrusted issue title to gh search after "--" so it cannot be parsed as an option.
decision(comment): build the comment from a fixed template, validate the model-chosen numbers against real repository issues, and render only the issue reference (#n) so no attacker-controlled text reaches the posted comment.
decision(architecture): split triage into a read-only classify job and a separate no-AI apply job, so the step that reads issue content holds no write token and no shell access, and the step that writes labels runs fixed code rather than an agent.
decision(classify-tools): disable Bash/Edit/Write/MultiEdit/NotebookEdit/WebFetch/WebSearch/Task and return the chosen labels via --json-schema structured output, keeping the agent to read-only file access.
decision(apply-labels): validate the model-chosen labels against the real repository label list, cap at 5, and apply via the labels REST endpoint instead of an agent-built command.
learned(claude-code-action): passing --json-schema in claude_args exposes the result as steps.<id>.outputs.structured_output, parsed downstream with fromJSON().
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
intent(remote-clone): fix reported RCE advisory (GHSA-9mm9-rqhj-j5mx) — remoteBranch was passed to git fetch/checkout without sanitization, bypassing the dangerousParams control applied only to the URL
decision(ref-validation): reject any ref starting with '-' rather than blocklisting specific params — git refname rules already forbid leading '-', so it is safe and also blocks unknown dangerous options
decision(option-terminator): use '--end-of-options' before the ref in fetch and checkout as defense in depth
rejected(option-terminator): the advisory-recommended '--' delimiter — 'git checkout -- <ref>' treats the argument as a pathspec, not a ref, changing semantics; '--end-of-options' stops option parsing without that side effect
constraint(short-sha-fallback): the short-SHA checkout fallback path must be guarded too, not just the primary fetch
learned(upload-pack): '--upload-pack' only executes locally over local transports (file://, ext::); over https it is ignored and over ssh it runs on the remote host
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
intent(skills-layout): Separate project-internal skills from harness-specific .claude/skills/
decision(compat): Keep .claude/skills/repomix-explorer as symlink so existing CLI/plugin references still resolve
constraint(hermes-docs): Hermes install URL in README and 15 translated guides points at raw GitHub paths, so the move requires updating every docs locale
decision(skills-layout): Move skills to .agents/skills with .claude/skills symlinks for harness compatibility
decision(agent-carnet): Mark as internal via metadata flag
Cloudflare requires sites running Turnstile in Invisible mode to
reference the Turnstile Privacy Policy in their own privacy disclosures.
Add a `Bot Protection` bullet to the Repomix Website section pointing
to Cloudflare's policy and explaining the invisible challenge.
All other locales include this file via `@include`, so the disclosure
propagates to every translation automatically.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Without a size value, Turnstile renders a visible widget inside the container
div. Collapse it with position: absolute; width/height: 0; overflow: hidden;
visibility: hidden so no layout space is consumed and the widget stays inert.
Cloudflare Turnstile does not accept 'invisible' as a size value; the valid
options are 'normal', 'compact', and 'flexible'. Passing 'invisible' throws a
TurnstileException in recent Turnstile script versions, breaking the pack form.
The invisible behaviour is already achieved via execution: 'execute', which
defers the challenge until mintToken() is called. The size parameter is only
needed when rendering a visible widget.
- Consolidate `supportedLocales`, `localeToBcp47`, and `localeToOgLocale`
into a single `localeConfig` map and export it along with the
`Locale` type so the locale list lives in one place and can be reused
by the main VitePress config later.
- Extract the duplicated author block into a shared `siteAuthor`
constant referenced by both the global SoftwareApplication graph and
the per-page TechArticle.
- Give the global `WebSite` node a stable `@id` and reference it from
`TechArticle.isPartOf` so search engines see a single linked entity
across pages instead of inlined duplicates.
- Emit per-page `og:type` (`article` for docs, `website` for the home
page) and drop the global `og:type` so the OpenGraph type matches the
TechArticle schema.
- Add `og:locale:alternate` for every non-current locale alongside the
existing `hreflang` alternates so social previews can also route to
the matching localized page.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Kazuki Yamada
renovate[bot]
github-actions[bot]
dependabot[bot]
serhiizghama