feat: v3.1.0 hardening — CI, security, changelog, social#23
feat: v3.1.0 hardening — CI, security, changelog, social#23naimkatiman wants to merge 6 commits intomainfrom
Conversation
… content - Add engines.node >= 18 to package.json (matches CI matrix) - Add code coverage step to CI (Node 22, --experimental-test-coverage) - Add CodeQL security scanning workflow (weekly + push/PR) - Backfill missing CHANGELOG entry for v3.1.0 - Update X thread to v3.1.0 (9 tweets, current stats, platform coverage) https://claude.ai/code/session_01WKuvYYRfrqGb3MhiT7pQgY
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the project to version 3.1.0 by enforcing a Node.js engine constraint in package.json, updating the CHANGELOG.md, and expanding the social media thread examples to include new features like the MCP server and instinct packs. It also introduces an automated REPORTS/daily-improvement.md file. The review feedback correctly identifies that this new report file contains stale information and placeholders, as it describes the missing engine field and out-of-sync changelog as pending issues despite them being resolved within this same PR.
|
|
||
| ## 1. One-Line Verdict | ||
|
|
||
| **The CHANGELOG is out of sync with the shipped version, and the package.json lacks an `engines` field — your CI tests Node 18/20/22 but consumers have zero guidance on minimum version.** |
There was a problem hiding this comment.
This verdict is stale as it describes issues (missing engines field and out-of-sync CHANGELOG) that are resolved within this pull request. To maintain the report's value as an accurate record of project health, consider updating this to reflect that the issues have been addressed.
|
|
||
| | Item | Status | Notes | | ||
| |---|---|---| | ||
| | v3.1.0 shipped | Valid | `package.json` updated, but CHANGELOG not updated | |
There was a problem hiding this comment.
The note here stating that the CHANGELOG is not updated is incorrect in the context of this pull request, which specifically includes the missing CHANGELOG entry.
| | v3.1.0 shipped | Valid | `package.json` updated, but CHANGELOG not updated | | |
| | v3.1.0 shipped | Valid | package.json and CHANGELOG updated | |
| ## [3.1.0] — 2026-04-11 | ||
|
|
||
| ### Added | ||
| - (document what changed in 3.1.0) | ||
|
|
||
| ### Changed | ||
| - (document what changed) | ||
| ``` |
There was a problem hiding this comment.
This section contains placeholder text (e.g., (document what changed)) and instructions for tasks already completed in this PR. It should be updated to reflect the final status of the v3.1.0 release to avoid committing template content to the repository.
| ## [3.1.0] — 2026-04-11 | |
| ### Added | |
| - (document what changed in 3.1.0) | |
| ### Changed | |
| - (document what changed) | |
| ``` | |
| ## 7. Status Update | |
| **The `engines` field has been added and the CHANGELOG has been updated.** | |
| These actions resolve the credibility gaps identified in this report. Future scans will track further evolution. |
- GitHub Action workflow: auto-posts to X/Twitter when a release is published - bin/generate-social-post.mjs: generates platform-specific posts (X, LinkedIn) - Dynamically pulls version tag, test count, and release URL - One-time setup: add X API secrets to GitHub repo settings https://claude.ai/code/session_01WKuvYYRfrqGb3MhiT7pQgY
- bin/social.mjs: zero-dep local tool for X/Twitter + LinkedIn posting - preview: see post content before sending - post: publish to X, LinkedIn, or both via API - setup: install local cron job (default: daily 10 AM) - uninstall: remove cron job - .env.example: template for API credentials - .gitignore: prevents .env from being committed - Removed .github/workflows/social-post.yml (cloud-based) - Removed bin/generate-social-post.mjs (replaced by social.mjs) Setup: cp .env.example .env && add keys && node bin/social.mjs setup https://claude.ai/code/session_01WKuvYYRfrqGb3MhiT7pQgY
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| Object.keys(params).sort().map(k => `${k}=${encodeURIComponent(params[k])}`).join('&') | ||
| )}`; | ||
| const signingKey = `${encodeURIComponent(consumerSecret)}&${encodeURIComponent(tokenSecret)}`; | ||
| return crypto.createHmac('sha1', signingKey).update(baseString).digest('base64'); |
- scheduled-tasks/daily-social-improvement/SKILL.md: full task prompt for Claude Code scheduled tasks (pull, test, analyze, report, post, push) - scheduled-tasks/install.sh: one-command installer copies tasks to ~/.claude/scheduled-tasks/ for local Claude Code desktop Setup: bash scheduled-tasks/install.sh && /schedule update daily-social-improvement https://claude.ai/code/session_01WKuvYYRfrqGb3MhiT7pQgY
…ort restructure [2026-04-11] - Restructured REPORTS/ to reports/ (lowercase, matches prompt convention) - Created reports/assets/ with SVG card generator and first visual asset - Updated scheduled-tasks/daily-social-improvement/SKILL.md with full 5-phase execution engine prompt (analyze, implement, generate assets, report, post via Chrome MCP tools to X/LinkedIn/Facebook/DEV.to) - Rewrote reports/daily-improvement.md to match new report format https://claude.ai/code/session_01WKuvYYRfrqGb3MhiT7pQgY
|
@copilot resolve the merge conflicts in this pull request |
3 participants
v3.1.0 Hardening — Ship-Ready Polish
What Changed
Infrastructure hardening — every change here closes a credibility gap that was visible to anyone evaluating the repo:
engines.node >= 18in package.json — CI tests Node 18/20/22 but consumers had zero guidance. Now npm warns on incompatible versions automatically.--experimental-test-coverageon Node 22. Zero new dependencies.child_process, reads/writes filesystem, processes user JSONL. CodeQL catches injection risks before they ship. Runs on push, PR, and weekly.REPORTS/daily-improvement.mdtracking repo evolution.Why This Matters
The code was already solid. The signals weren't. No engines field = silent broken installs. No coverage = "are these tests real?" No security scanning = liability for a tool that shells out. No changelog = "is this maintained?"
This PR closes every credibility gap identified in the automated daily improvement analysis.
Files Changed
package.jsonengines.node >= 18.github/workflows/ci.yml.github/workflows/codeql.ymlCHANGELOG.mdexamples/x-thread.mdREPORTS/daily-improvement.mdTest Plan
npx continuous-improvement install104 tests | Zero dependencies | Node 18+ | MIT