Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 4 commits
- 26 files changed
- 1 contributor
Commits on Mar 15, 2026
-
chore: add pyrightconfig.json and fix all pyright errors (#448)
## Summary - Add `pyrightconfig.json` with `standard` mode and suppressed noise rules for Pydantic/structlog/pytest (reduces 1648 false positives to 0) - Fix all 17 actionable pyright findings across 8 source files: - `middleware.py`: pyright-specific ignore for ASGI `send()` type mismatch - `loader.py`: use `getattr` for `YAMLError.problem_mark` (avoids missing attr on base class) - `mem0/adapter.py`: pyright ignore for `_client` attr assignment - `org/store.py`: initialize `escaped` before conditional use - `presets.py`: extract validation loop into function to avoid unbound variable warnings - `mcp/__init__.py`: add `TYPE_CHECKING` imports for lazy-loaded `__all__` symbols - `docker_sandbox.py`: explicit `aiodocker.containers` import + pyright ignores - `test_factory.py`: initialize `side_effect` with `None` + assert narrowing ## Context Pyright (used as LSP) produced 1648 errors due to no Pydantic plugin (unlike mypy). The project already has mypy strict + Pydantic plugin in CI as the authoritative type checker. This PR configures pyright as a useful editor companion by suppressing dynamic-library noise while keeping real bug detection. ## Test plan - [x] `pyright src/ tests/` — 0 errors, 0 warnings - [x] `mypy src/ tests/` — 0 issues in 974 files - [x] `pytest tests/ -m unit -n auto` — 7868 passed - [x] `ruff check` — all passed
-
fix: export .intoto.jsonl provenance for OpenSSF Scorecard (#456)
## Summary - Extract DSSE envelope from the Sigstore bundle and upload as `checksums.txt.intoto.jsonl` alongside the existing `.sigstore.json` release asset - Scorecard's Signed-Releases check classifies `.sigstore.json` as a signature but not as provenance — `.intoto.jsonl` is the filename pattern it recognizes for SLSA provenance ## Context OpenSSF Scorecard warns "release artifact does not have provenance" for v0.2.4 even though SLSA L3 attestations exist in GitHub's attestation store. The root cause is that Scorecard looks for `.intoto.jsonl` files in release assets for provenance detection, while our `.sigstore.json` bundle (which contains the same SLSA provenance data) is only recognized as a signature artifact. ## Changes **`.github/workflows/cli.yml`** — Added `jq -c '.dsseEnvelope'` extraction step in the existing "Upload provenance bundle to release" step to produce `checksums.txt.intoto.jsonl` and upload it as a release asset. ## Test plan - [ ] Verify `jq` is available on `ubuntu-latest` runners (pre-installed) - [ ] Next tag push (v0.2.5+) should produce both `.sigstore.json` and `.intoto.jsonl` release assets - [ ] Subsequent Scorecard run should show provenance recognized for the new release 🤖 Generated with [Claude Code](https://claude.com/claude-code)
-
feat: default sandbox to enabled, polish CLI output, add sandbox CI b…
…uild (#455) ## Summary - **Default sandbox to enabled**: `DefaultState()` now returns `Sandbox: true` so the setup form pre-selects sandboxed code execution. `Load()` fallback (no config file) conservatively sets `Sandbox: false` — sandbox requires explicit user confirmation via `synthorg init`. - **Polish CLI output**: New `cli/internal/ui` package with lipgloss-styled output — branded ASCII logo with version display, colored status icons (✓ ● ! ✗ →), key-value formatting, and hint lines. Replaces all raw `fmt.Fprintf` in `init.go` and `start.go`. - **Sandbox CI build**: New `build-sandbox` job in `docker.yml` runs in parallel with backend/web builds. Same scan/sign/attest pipeline (Trivy + Grype + CIS + cosign + SLSA L3). Release notes updated with sandbox image row, digest, and verification commands. - **CLAUDE.md**: Updated package structure (ui/), dependencies (lipgloss), and Docker CI description (sandbox). ## Test plan - [x] `go test ./...` — all packages pass (config, ui, compose, docker, health, diagnostics, selfupdate) - [x] `go vet ./...` — clean - [x] `go build ./...` — compiles - [x] golangci-lint — passed (pre-commit + pre-push hooks) - [x] UI output manually verified via test binary (logo + styled lines render correctly) - [ ] Verify `build-sandbox` job runs in CI on this PR (docker.yml triggers on `docker/**` changes — sandbox Dockerfile exists) ## Review coverage Pre-reviewed by 5 agents (go-reviewer, go-security-reviewer, go-conventions-enforcer, infra-reviewer, docs-consistency). 8 findings identified and addressed: - Cached lipgloss styles in struct fields (idiomatic pattern) - Table-driven tests for UI output methods - Migrated init.go overwrite warning to ui.Warn - Conservative Load fallback (Sandbox=false without config) - CLAUDE.md docs alignment 🤖 Generated with [Claude Code](https://claude.com/claude-code)
-
chore(main): release 0.2.5 (#447)
🤖 I have created a release *beep* *boop* --- ## [0.2.5](v0.2.4...v0.2.5) (2026-03-15) ### Features * default sandbox to enabled, polish CLI output, add sandbox CI build ([#455](#455)) ([a4869b6](a4869b6)) ### Bug Fixes * export .intoto.jsonl provenance for OpenSSF Scorecard ([#456](#456)) ([2feed09](2feed09)) ### Maintenance * add pyrightconfig.json and fix all pyright errors ([#448](#448)) ([f60746a](f60746a)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v0.2.4...v0.2.5