chore(codex): bootstrap tests and docs defaults

[saagar210]

What

• Bootstrap repository with global tests/docs enforcement defaults.
• Add verification command contract and quality gate workflow.

Why

• Ensure every new repository starts with mandatory tests + living docs policy.

Testing

• bootstrap script created files and marker contract
• repository gate commands must be run after dependency install

Risk / Notes

• Update to exact repo commands if scaffold defaults differ.

[gemini-code-assist]

Summary of Changes

Hello @saagar210, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request bootstraps new repositories with essential quality and development practices. It introduces global enforcement for testing and documentation, ensuring that all new projects adhere to a high standard from inception. Additionally, it provides utilities for efficient local development by managing build artifacts and offering flexible cleanup options.

Highlights

• Global Quality Enforcement: Established global policies for mandatory tests and living documentation, ensuring all new repositories adhere to high quality standards from inception.
• Automated Verification Workflow: Introduced a verification command contract and a quality gate workflow to automatically enforce testing and documentation policies within the CI/CD pipeline.
• Optimized Development Experience: Implemented new development and cleanup scripts, including a 'Lean Dev' mode to manage disk usage by redirecting and cleaning temporary build caches, and dedicated scripts for heavy and full project cleanup.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .codex/bootstrap/tests-docs.v1.json
  • Added a new JSON contract file to define the tests-docs-bootstrap-v1 configuration, including adapter, branch, generation details, and a list of files changed by the bootstrap process.
• .codex/prompts/test-critic.md
  • Added a markdown document outlining detailed review criteria for a 'QA Test Critic,' focusing on test quality, coverage, and documentation requirements.
• .codex/scripts/run_verify_commands.sh
  • Added a bash script designed to execute a series of verification commands listed in a specified file, failing if any command exits with an error.
• .codex/verify.commands
  • Added a text file containing a list of pnpm commands for linting, type-checking, testing (coverage, integration, e2e), and documentation generation/checking, to be used by the run_verify_commands.sh script.
• AGENTS.md
  • Added a markdown document titled 'Definition of Done: Tests + Docs (Blocking),' which specifies mandatory requirements for tests, documentation, API changes, architecture decisions, and CI checks.
• README.md
  • Updated the README to include new sections for 'Lean Dev (low disk mode)' with instructions and explanations, and 'Cleanup commands' for clean:heavy and clean:all scripts.
• docs/adr/0000-template.md
  • Added a template for Architecture Decision Records (ADR), including sections for Status, Context, Decision, Consequences, and Alternatives Considered.
• openapi/openapi.generated.json
  • Added an initial OpenAPI 3.1.0 contract file with basic info, paths, and components, serving as a placeholder for API documentation.
• package.json
  • Modified script commands to explicitly use node for CLI tools (vite, tsc, vitest, tauri).
  • Added new scripts: dev:lean, clean:heavy, and clean:all.
• scripts/ci/require-tests-and-docs.mjs
  • Added a Node.js script for CI that enforces policies requiring test updates for production code changes, documentation for API changes, and ADRs for architecture changes.
• scripts/clean-all.sh
  • Added a bash script that performs a comprehensive cleanup by first running clean-heavy.sh and then removing the node_modules directory.
• scripts/clean-heavy.sh
  • Added a bash script to remove heavy build artifacts such as dist/, artifacts/, src-tauri/target/, and node_modules/.vite/.
• scripts/lean-dev.sh
  • Added a bash script that enables a 'lean development' mode by redirecting heavy build caches to temporary directories and cleaning them up on exit, also providing disk usage reports.
• vite.config.ts
  • Updated the Vite configuration to conditionally set the cacheDir based on the DESKTOPPET_VITE_CACHE_DIR environment variable, supporting the 'lean dev' mode.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/quality-gates.yml

Activity

• No specific activity (comments, reviews, progress updates) was provided in the context for this pull request.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

In general, to fix this class of problem you explicitly define a permissions block at the workflow root or for the specific job, granting only the minimal scopes required (often contents: read for typical CI tasks). This prevents unintended broad access from inherited defaults and makes the workflow’s needs clear.

For this workflow, the simplest and best fix without changing existing functionality is to add a job-level permissions block under jobs.quality, setting contents: read. None of the steps require writing to the repository or modifying issues/PRs via API; they only need to read the code and upload artifacts. GitHub-hosted runners always have network/FS access needed for dependency installation and diff analysis; these do not require extra GITHUB_TOKEN scopes. So we will edit .github/workflows/quality-gates.yml, and directly under quality: (before runs-on:) add:

    permissions:
      contents: read

No additional imports, methods, or definitions are needed since this is a YAML workflow configuration change only.

[codacy-production]

Codacy's Analysis Summary

39 new issues (≤ 0 issue)
1 new security issue
9 complexity
0 duplications

Review Pull Request in Codacy →

✨ AI Reviewer available: add the codacy-review label to get contextual insights without leaving GitHub.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a74d788805

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use a lockfile-compatible install command in quality gate

This job installs dependencies with pnpm install --frozen-lockfile, but the repository only contains package-lock.json (no pnpm-lock.yaml), so pnpm exits with ERR_PNPM_NO_LOCKFILE before any checks run. In practice this makes the new quality-gates workflow fail on every run unless a pnpm lockfile is added or the install command is switched to an npm-compatible path.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Replace verify command list with existing repo scripts

The verification runner executes .codex/verify.commands verbatim, and the first entry is pnpm lint even though package.json does not define a lint script (same issue for typecheck, test:integration, test:e2e:smoke, and docs:*). pnpm returns Command "lint" not found, so the gate stops immediately and cannot validate the repository as intended.

Useful? React with 👍 / 👎.

[sonarqubecloud]

Quality Gate failed

Failed conditions
3 Security Hotspots

See analysis details on SonarQube Cloud

[codacy-production]

Codacy has a fix for the issue: ES2015 arrow function expressions are forbidden.

Suggested change

	const isProdCode = (file) => /^(src|app|server|api)\//.test(file) && !/\.(test|spec)\.[cm]?[jt]sx?$/.test(file);
	const isProdCode = function(file) { return /^(src|app|server|api)\//.test(file) && !/\.(test|spec)\.[cm]?[jt]sx?$/.test(file) };

[codacy-production]

Codacy has a fix for the issue: ES2015 arrow function expressions are forbidden.

Suggested change

	const isDoc = (file) => /^docs\//.test(file) || /^openapi\//.test(file) || file === 'README.md';
	const isDoc = function(file) { return /^docs\//.test(file) || /^openapi\//.test(file) || file === 'README.md' };

[codacy-production]

Codacy has a fix for the issue: ES2015 template literals are forbidden.

Suggested change

	const baseRef = process.env.GITHUB_BASE_REF ? `origin/${process.env.GITHUB_BASE_REF}` : defaultBaseRef;
	const baseRef = process.env.GITHUB_BASE_REF ? "origin/"+process.env.GITHUB_BASE_REF : defaultBaseRef;

[codacy-production]

Codacy has a fix for the issue: ES2015 arrow function expressions are forbidden.

Suggested change

	const isTest = (file) => /^tests\//.test(file) || /\.(test|spec)\.[cm]?[jt]sx?$/.test(file);
	const isTest = function(file) { return /^tests\//.test(file) || /\.(test|spec)\.[cm]?[jt]sx?$/.test(file) };

[codacy-production]

Codacy has a fix for the issue: ES2015 arrow function expressions are forbidden.

Suggested change

	const isArchChange = (file) => /^src\/(auth|db|infra|queue|events|architecture)\//.test(file) || /^infra\//.test(file);
	const isArchChange = function(file) { return /^src\/(auth|db|infra|queue|events|architecture)\//.test(file) || /^infra\//.test(file) };

[codacy-production]

Codacy has a fix for the issue: ES2015 arrow function expressions are forbidden.

Suggested change

	const isApiSurface = (file) => /^(src|app|server|api)\/.*(route|controller|handler|webhook|api|command)/.test(file);
	const isApiSurface = function(file) { return /^(src|app|server|api)\/.*(route|controller|handler|webhook|api|command)/.test(file) };

[codacy-production]

Codacy has a fix for the issue: ES2015 arrow function expressions are forbidden.

Suggested change

	const isAdr = (file) => /^docs\/adr\/\d{4}-.*\.md$/.test(file);
	const isAdr = function(file) { return /^docs\/adr\/\d{4}-.*\.md$/.test(file) };

[gemini-code-assist]

Code Review

This pull request aims to enforce testing and documentation policies by introducing new scripts for 'lean development', cleanup, and quality gate verification, along with policy documents. However, it introduces two critical command injection vulnerabilities: one in .codex/scripts/run_verify_commands.sh due to unsanitized cmd execution, and another in scripts/ci/require-tests-and-docs.mjs where baseRef is used directly in execSync. Other identified issues include a hardcoded user path, a potentially brittle regex, and the use of a login shell in the verification script which could affect reproducibility.

[gemini-code-assist]

This line introduces a critical command injection vulnerability. The cmd variable, read directly from the VERIFY_FILE, is executed without sanitization, allowing arbitrary command injection and potential remote code execution. Additionally, using bash -l makes the script's behavior dependent on the user's login shell configuration, which can lead to non-reproducible behavior. The suggested change addresses both the command injection by properly quoting the command and improves reproducibility.

Suggested change

	if ! bash -lc "$cmd"; then
	if ! bash -lc "$(printf %q "$cmd")"; then

[gemini-code-assist]

The baseRef variable, which can be controlled by the GITHUB_BASE_REF environment variable, is directly used in an execSync call without proper sanitization. This allows for command injection if an attacker can control the GITHUB_BASE_REF environment variable.

To remediate this, ensure that baseRef is properly sanitized before being used in the execSync command. Consider using a library that safely escapes shell arguments or strictly validating the input.

Suggested change

	const diff = execSync(`git diff --name-only ${baseRef}...HEAD`, { encoding: 'utf8' })
	const diff = execSync(`git diff --name-only ${JSON.stringify(baseRef)}...HEAD`, { encoding: 'utf8' })

[gemini-code-assist]

The generated_by field contains a hardcoded absolute path to a user's local directory. This is not portable and exposes details about the local machine setup. It's better to use just the script name to improve portability and avoid leaking local machine details.

Suggested change

	"generated_by": "/Users/d/.codex/scripts/bootstrap/global_tests_docs_bootstrap.mjs",
	"generated_by": "global_tests_docs_bootstrap.mjs",

[gemini-code-assist]

The isProdCode check relies on a whitelist of directories (src, app, server, api). This means if production code is added to a new directory (e.g., lib/, shared/), it will not be covered by this policy check, potentially allowing production code changes without corresponding tests. Consider making this more robust, for example by defining production code as any code that is not part of other explicit categories like tests, docs, or config.