release: sync dev → main#65
Merged
devchaudhary24k merged 149 commits intomainfrom Apr 19, 2026
Merged
Conversation
Migration/tanstack start
Feat/auth package revamp
Archive superseded by apps/app (TanStack Start) which now owns the full FE surface. Git tag `legacy-dashboard` preserves the last state if future reference is needed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
feat(ui): migrate to base-ui + base-lyra shadcn + factory auth
Hardening for bypass-mode Claude usage and safer human workflow. Husky: - post-merge + post-checkout — auto pnpm install on lockfile change, warn on DB schema drift - pre-rebase — block rebase on main/dev/master/develop - pre-commit — add migration gate (block when schema staged without migration) - pre-push — add branch-protection (refuse push to main/dev + force-push) Claude hooks: - block-env-file-access — deny Read/Write/Edit on .env* (exempt .env.example) - block-env-bash — deny cat/head/tail/grep on .env; allow source / dot-source and export $(grep ... | xargs) patterns so secrets load into env vars without hitting stdout - block-missing-migration — refuse git commit when schema staged without migration file - block-rebase-shared — mirror husky pre-rebase at Claude tool layer - warn-shadcn-edit — nudge on edits under packages/ui/src/components/ Settings: - Expanded deny list: SSH/AWS/kube creds, --no-verify, history rewrite, mass delete, supply-chain exec, publish, global install, gh state mutations, docker prune, sudo - Cleaned settings.local.json (was stale one-off approvals) ESLint rules (replace two warn hooks with proper lint): - no-restricted-syntax: forbid process.env.X direct access (env.ts exempt) - no-restricted-imports in apps/app: backend pkgs (@vidcastx/database, queue, storage, redis, m2m), drizzle-orm, bullmq, ioredis, pg, bun, @aws-sdk/* — type imports still allowed where sensible Rules + docs: - .claude/rules/tooling.md — full TS/ESLint/Prettier/Husky posture, documents which flags are off + why - CLAUDE.md — tooling section refreshed, rules index, commit-attribution policy (no Co-Authored-By trailer, no automated footer) - .claude/rules/commit-discipline.md — removed Co-Authored-By requirement Collateral: - auth.functions.ts: process.env.API_URL -> env.API_URL via workspace env.ts
apps/api scripts (check-types, dev, build) invoke `bun run with-env` via dotenv-cli wrapper. CI runners had only Node installed, so typecheck failed with `sh: 1: bun: not found`. Added oven-sh/setup-bun@v2 to setup, check-types, lint, and format jobs for consistency even where not strictly needed today.
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* chore(ci): disable Dependabot — Renovate is the source of truth
Dependabot was opening PRs against `main` (wrong base, default-branch
behavior) and scanning stale paths (apps/dashboard no longer exists),
duplicating what Renovate already handles with correct grouping +
`baseBranches: ["dev"]`.
Add an empty updates array to disable Dependabot version updates.
Dependabot *security* updates cannot be disabled via config — toggle
them off in Repo Settings → Code security → Dependabot security updates.
Renovate's vulnerabilityAlerts already covers that surface.
* chore(claude): split destructive ops into ask tier
Bypass-mode usage needs a middle ground between silent allow and hard
deny. Introduce the `ask` permission tier for state-changing ops that
are legitimate but always warrant a beat to think.
Moved deny -> ask:
- gh pr merge/close, gh release create/delete, gh workflow disable/delete
- git push --force-with-lease, git reset --hard, git clean -f/-fd,
git branch -D, git cherry-pick, git revert, git rebase
(belt-and-suspenders beside block-rebase-shared.sh)
- pnpm db:migrate (applies SQL — prompt per invocation)
- docker compose down -v / rm, docker system prune, docker volume prune/rm
- chmod -R
Kept in deny (truly no legit need):
- rm -rf paths, find -delete / -exec rm
- env/secret readers (printenv, env, ssh/aws/kube/netrc)
- git push --force / -f (use --force-with-lease via ask)
- --no-verify bypasses, git checkout -- ., history rewrites
- db:push, db:reset, DROP/TRUNCATE, raw psql DELETE/UPDATE
- curl|sh, wget|sh, publishes, global installs, auth tokens
- gh auth logout, sudo
* chore(github): refresh templates + renovate grouping
.github/:
- copilot-instructions.md — point at CLAUDE.md + .claude/rules/;
refreshed stack list (Elysia/Bun/TanStack, not Next)
- pull_request_template.md — repo-specific checklist with migration
gate and UI-change checks
- SECURITY.md — drop arbitrary versioned table (pre-1.0), structure
scope + triage SLAs, prefer GitHub private advisories
- ISSUE_TEMPLATE/bug_report.yml — fix malformed YAML tail, add
logs field, default labels bug + needs-triage
- ISSUE_TEMPLATE/config.yml — add security-advisory link, disable
blank issues, route feature requests to Discussions
- DISCUSSION_TEMPLATE/ideas.yml — fix missing title/labels,
problem/solution/alternatives structure
- FUNDING.yml — commented platform list for easy expansion
- renovate.json — drop deprecated matchPackagePatterns, de-dupe
@vidcastx pattern, add schedule + prConcurrent/HourlyLimit,
dependencyDashboardTitle, groups for TanStack / Drizzle / Elysia /
full linting stack
* fix(ci): make dependabot.yml schema-valid while keeping it disabled
Empty `updates: []` fails Dependabot's validator ('minimum 1 item').
Use a single npm entry with `open-pull-requests-limit: 0` — valid
config, zero PRs created.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Promotes ~50 commits from `dev` to `main`. Large sync covering the TanStack Start migration, auth revamp, folders feature, video dashboard work, full CI/tooling hardening, and Renovate-driven security bumps.
What lands on main
Platform migration
Auth
Feature work
API / workers
CI / tooling hardening (last mile)
Security dep bumps (via Renovate)
Infra / config misc
Developer ergonomics
Test plan