docs: refresh byteport sladge badge#175
Conversation
…nale - Add 17 ignore entries for gtk-rs cluster (10), unic-* family (5), proc-macro-error, fxhash — all transitive via Tauri 2.x stack with no safe upgrade and no direct use in BytePort source. - Remove stale RUSTSEC-2024-0436 (paste) ignore (advisory-not-detected per cargo-deny; no longer in dep tree). - cargo deny check advisories: PASS.
The crt.pem was a Sigstore.dev code-signing certificate with 10-minute validity that expired on 2026-11-08. Replace with a descriptive placeholder to prevent accidental re-commit of credentials. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Replace terminal escape sequence artifact with proper status stub. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- docs: add SPECS_INDEX.md - fix(ci): replace trufflesecurity/trufflehog with go install approach - fix(ci): upgrade cargo-deny from v2 to v6 - ci: add doc-links.yml workflow - ci: add fr-coverage.yml workflow - ci: add quality-gate.yml workflow Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Repair the live BytePort Sladge badge gap in an isolated worktree while preserving canonical workflow, SPEC, and Go source edits. Co-authored-by: Codex <noreply@openai.com>
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| - uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 | ||
| with: | ||
| go-version: 'stable' | ||
| - uses: golangci/golangci-lint-action@aa6339a8b9e0e1c4b5e7c4e6f8d7c3a2b1e0d9f8 | ||
| with: | ||
| version: latest |
|
codeant-ai
Bot
added
the
size:XXL
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 7 potential issues.
Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issues.
Reviewed by Cursor Bugbot for commit 691049c. Configure here.
| push: | ||
| timeout-minutes: 45 | ||
| branches: [main] | ||
| pull_request: |
There was a problem hiding this comment.
CI workflow triggers invalid
High Severity
timeout-minutes was inserted under the workflow on map, so push/pull_request/branches are no longer valid trigger children. GitHub Actions expects event keys there, not job timeouts, so these workflows likely fail validation or never fire on the intended branches.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit 691049c. Configure here.
|
|
||
| timeout-minutes: 10 | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true |
There was a problem hiding this comment.
Concurrency block YAML corrupted
High Severity
timeout-minutes was placed inside the concurrency section with group and cancel-in-progress nested under it. That is invalid workflow YAML and drops the intended concurrency group, so audit/CodeQL runs may not parse or may lose cancel-in-progress behavior.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 691049c. Configure here.
| name: Monthly SBOM Refresh | ||
| on: | ||
| schedule: | ||
| timeout-minutes: 15 |
There was a problem hiding this comment.
SBOM schedule YAML broken
Medium Severity
timeout-minutes was inserted under on.schedule, so the monthly cron entry is no longer a direct child of schedule. The scheduled SBOM refresh may not run on the intended cadence.
Reviewed by Cursor Bugbot for commit 691049c. Configure here.
| const raw = await ghRaw(`repos/${REPO}/contents/${path}.md?ref=main`); | ||
| if (raw) { | ||
| // Last-ditch: raw markdown wrapped in <pre>. | ||
| bodyHtml = `<pre class="raw-md">${raw.replace(/[<>&]/g, (c) => ({ "<": "<", ">": ">", "&": "amp;" })[c] ?? c)}</pre>`; |
There was a problem hiding this comment.
Ampersand escape produces amp
Medium Severity
The raw-markdown fallback replaces & with the literal text amp; instead of the HTML entity &. Doc pages can show corrupted text and leave & unescaped in HTML context.
Reviewed by Cursor Bugbot for commit 691049c. Configure here.
| <meta charset="UTF-8" /> | ||
| <meta name="viewport" content="width=device-width, initial-scale=1" /> | ||
| <title>Byteport — High-performance binary serialization and protocol framework</title> | ||
| <meta name="description" content={description} /> |
There was a problem hiding this comment.
Wrong landing page fallback copy
Medium Severity
When the GitHub API is unavailable, defaults describe BytePort as a Rust binary serialization framework, including the page title and meta description. That contradicts the repo README and mislabels the project on the public landing site.
Reviewed by Cursor Bugbot for commit 691049c. Configure here.
| debug: true | ||
| go-version: 'stable' | ||
| - name: Install and run TruffleHog | ||
| run: go install github.com/trufflehog/trufflehog/v3@latest && trufflehog github --only-verified |
There was a problem hiding this comment.
TruffleHog skips local checkout
High Severity
The workflow dropped the filesystem TruffleHog action and runs trufflehog github --only-verified without a --repo (or equivalent) for the checked-out tree. Secrets in the PR commit may not be scanned the way the previous path: ./ action did.
Reviewed by Cursor Bugbot for commit 691049c. Configure here.
| - uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 | ||
| with: | ||
| go-version: 'stable' | ||
| - uses: golangci/golangci-lint-action@aa6339a8b9e0e1c4b5e7c4e6f8d7c3a2b1e0d9f8 |
There was a problem hiding this comment.
Lint workflow uses invalid actions
Medium Severity
The new Lint workflow pins actions/setup-go and golangci/golangci-lint-action to non-standard commit SHAs that do not match published action releases. The job will likely fail at the “resolve action” step instead of running golangci-lint.
Reviewed by Cursor Bugbot for commit 691049c. Configure here.
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| type LiveLoaderDataType<C extends keyof LiveContentConfig['collections']> = | ||
| LiveContentConfig['collections'][C]['schema'] extends undefined | ||
| ? ExtractDataType<LiveContentConfig['collections'][C]['loader']> |
There was a problem hiding this comment.
Suggestion: ExtractDataType is referenced but never declared or imported in this declaration file, which makes the generated Astro content types invalid and can break TypeScript checking in environments that do not skip .d.ts validation. Add the missing type alias (or replace it with the correct existing helper type) so LiveLoaderDataType resolves correctly. [type error]
Severity Level: Major ⚠️
- ⚠️ TypeScript cannot fully type-check astro:content module.
- ⚠️ Editors show errors for LiveLoaderDataType-dependent APIs.
- ⚠️ Astro live content helpers unusable with strict type checking.Steps of Reproduction ✅
1. Open the repository in an editor or TypeScript tooling that picks up `.d.ts` files in
the workspace; note that `.astro/types.d.ts` (at
`/workspace/BytePort/.astro/types.d.ts:1-2`) uses triple-slash references to include
`content.d.ts` from the same directory.
2. Observe that `content.d.ts` declares the `astro:content` module and defines
`LiveLoaderDataType` at `/workspace/BytePort/.astro/content.d.ts:138-143`, where line 140
contains `? ExtractDataType<LiveContentConfig['collections'][C]['loader']>`.
3. Still in `content.d.ts`, confirm there is no declaration or import for
`ExtractDataType` anywhere in the file (lines 1–154), while other helper types like
`ExtractLoaderTypes`, `ExtractEntryFilterType`, `ExtractCollectionFilterType`, and
`ExtractErrorType` are explicitly declared at lines 126–136.
4. Run TypeScript over these declarations (for example, by having the editor's TypeScript
language service or `tsc` load `.astro/types.d.ts`); when it reaches `LiveLoaderDataType`
in `.astro/content.d.ts:138-140`, TypeScript will emit an error `Cannot find name
'ExtractDataType'`, breaking type checking for any consumer of the `astro:content` module.Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** .astro/content.d.ts
**Line:** 138:140
**Comment:**
*Type Error: `ExtractDataType` is referenced but never declared or imported in this declaration file, which makes the generated Astro content types invalid and can break TypeScript checking in environments that do not skip `.d.ts` validation. Add the missing type alias (or replace it with the correct existing helper type) so `LiveLoaderDataType` resolves correctly.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
| @@ -0,0 +1,177 @@ | |||
| --- | |||
| import "../styles/globals.css"; | |||
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The new Astro pages import a shared stylesheet at src/styles/globals.css, but no globals.css file exists anywhere in the repository, so these CSS imports will fail to resolve and break the landing build.
Suggestion: Add the missing src/styles/globals.css file (and commit it with the new pages) or update all imports to point to an existing stylesheet, then validate with a full Astro landing build in CI.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** src/pages/index.astro
**Line:** 2:2
**Comment:**
*CRITICAL: The new Astro pages import a shared stylesheet at src/styles/globals.css, but no globals.css file exists anywhere in the repository, so these CSS imports will fail to resolve and break the landing build.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
2 participants
User description
Refresh the sladge badge for the current BytePort branch.
Note
High Risk
Removes a committed private key (positive) but the diff touches secrets-adjacent paths and CI; multiple workflow files appear YAML-broken, and TruffleHog/@latest plus duplicated CI increase merge and supply-chain risk.
Overview
This PR is much broader than the Sladge refresh title implies. It adds the Sladge “AI Slop Inside” badge to
README.md, tightens the canonical-stack blurb, and records that work underdocs/sessions/20260506-byteport-sladge-refresh/.Security hygiene:
backend/byteport/byteport-ghkey.pemis deleted (RSA private key removed from the tree).crt.pemis replaced with an explicit expired Sigstore placeholder comment instead of embedded certificate material.CI / governance: Many workflows gain concurrency groups, timeouts, and
actions/checkout@v4on some jobs; new stub workflows (doc-links,fr-coverage,quality-gate,lint, extraci.yml) echo phenotype-tooling integration.cargo-denymoves to stable toolchain and v6 action;deny.tomlexpands documented RUSTSEC ignores (gtk-rs, unic-*, etc.).trufflehog.ymlswitches from the official action togo install …@latest. Several edited YAML files placetimeout-minutesunderon:in invalid positions (e.g.ci.yml,cargo-audit.yml,go-ci.yml), which can break workflow parsing.Docs / site: New
SPECS_INDEX.md, rewrittenSTATUS.md, generated.astro/types, and a tier-3 Astro landing (src/pages/index.astro,/docs,/qa,/otel,/preview) with GitHub API + snapshot fallbacks (src/data/readme.html,qa-snapshot.json).Review focus: Treat as a multi-lane merge—validate Actions YAML, confirm no secrets remain, and decide whether landing/CI churn belongs in the same PR as the badge.
Reviewed by Cursor Bugbot for commit 691049c. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Refresh BytePort’s landing content, docs views, and CI checks while removing exposed credentials
What Changed
/docs,/qa,/otel, and/previewpages that show repo content, quality status, observability, and PR preview links with clear fallback messages when data is missing.Impact
✅ Clearer project overview✅ Safer secret handling✅ More reliable CI runs💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.