docs(claude-md): audit and rewrite project guidance#15
Closed
saagpatel wants to merge 25 commits into
Closed
Conversation
Update agent definitions, AGENTS.md, and component polish for v1.0 release. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
OAuth token at ~/.jcc/gmail/token.json was written world-readable. Add os.chmod(token_path, 0o600) after every write in both the initial auth flow and the token-refresh path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Resolves RUSTSEC-2026-0007: integer overflow in BytesMut::reserve. Upgrade bytes 1.11.0 -> 1.11.1 via cargo update. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- quinn-proto 0.11.13 -> 0.11.14 (RUSTSEC-2026-0037, HIGH: DoS) - rkyv 0.7.45 -> 0.7.46 (RUSTSEC-2026-0001: UB on OOM) - rustls-webpki 0.103.8 -> 0.103.11 (RUSTSEC-2026-0049: CRL matching) - tar 0.4.44 -> 0.4.45 (RUSTSEC-2026-0067/0068: symlink/PAX header bugs) - time 0.3.44 -> 0.3.47 (RUSTSEC-2026-0009: DoS stack exhaustion) rsa 0.9.10 (RUSTSEC-2023-0071) has no upstream fix available. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…bypass - fastapi 0.115.12 → >=0.123.0 (unlocks starlette 0.49.1+ fix) resolved to 0.135.3 in lock; uvicorn unpinned to >=0.34.2 - starlette resolved to 1.0.0 (via uv lock --upgrade-package starlette): fixes CVE-2025-54121 (MEDIUM, SpooledTemporaryFile I/O block DoS) and CVE-2025-62727 (HIGH, Range header quadratic-time DoS) - cryptography resolved to 46.0.7 (from 46.0.5): fixes CVE-2026-34073 (name constraint bypass) and CVE-2026-39892 uv.lock is git-excluded per .git/info/exclude; run `uv lock` to regenerate. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Bumps version from 0.1.0 to 1.0.0 across tauri.conf.json, Cargo.toml, and package.json. Removes 'unsafe-inline' from script-src in production CSP (security hardening). Adds devCsp with 'unsafe-eval' for Vite HMR dev mode. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
claude-sonnet-4-20250514 -> claude-sonnet-4-6 (1 ref, doc only) The dated Sonnet 4 alias retires 2026-06-15. The implementation plan's Key Decisions table referenced the soon-retired ID; this keeps documentation consistent with current Anthropic offerings. No source code in this project uses the deprecated ID. Refs: https://platform.claude.com/docs/en/about-claude/model-deprecations Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
docs/LINKEDIN-BOT-DETECTION.md: how the LinkedIn adapter avoids bot detection (persistent real-browser session, hard rate limits, randomized delays, Easy Apply only), what still triggers detection (CAPTCHA mid-flow, fingerprint reuse, DOM drift), operator playbook. Sourced from sidecar/src/adapters/linkedin.py. docs/developer/ai-tooling.md: Claude Code commands + task agents. docs/developer/README.md: link the new ai-tooling doc. AGENTS.md, CLAUDE.md: portfolio-context blocks. package.json, src-tauri/tauri.conf.json: prettier auto-format sync. package-lock.json: minor lockfile drift. src-tauri/binaries/jcc-sidecar-aarch64-apple-darwin: rebuilt sidecar. pnpm-lock.yaml diverged drastically and is left uncommitted; resolve in a dedicated dependency-hygiene PR. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
feat(docs): LinkedIn bot-detection notes + AI tooling + harness sync
…portable skills - pnpm-lock.yaml regenerated - Deleted vendored 80MB jcc-sidecar binary (build artifact, not source) - Linked 4 portable skills (api-design, migration, notarize, tauri-release) - CLAUDE.md additions Mid-flight WIP captured for review; not pushed.
pyo3 0.24.0 (transitively required by pydantic-core) supports up to Python 3.13. Workflow was pinning '3.14' which fails the wheel build. Project spec is 3.12+, so pinning to 3.12 matches the documented stack and unblocks the sidecar CI lane. Note: Tauri test-backend job is failing separately on missing glib-2.0 system libs (pre-existing — main has been CI-red since 2026-04-13). Out of scope for this PR.
chore(deps): refresh pnpm lockfile, drop legacy sidecar binary, link portable skills
CLAUDE.md: - Remove duplicate <!-- portfolio-context --> block (was at lines 294-337). The auto-portfolio sync owns the block at line 181-218; the second one was a stale pre-rebase addition. CI (Test (Tauri)): - Pin pnpm/action-setup to v11 (action v4 requires explicit version since no packageManager field in package.json). - Install Tauri Linux system deps (libgtk-3-dev, libwebkit2gtk-4.1-dev, libsoup-3.0-dev, libjavascriptcoregtk-4.1-dev, librsvg2-dev, libayatana-appindicator3-dev) before cargo clippy. Without these the webkit/gtk crates fail to build. Both lanes have been failing on main since 2026-04-13 (pre-existing).
… with onlyBuiltDependencies)
…i-ci chore: dedupe CLAUDE.md portfolio-context block + fix Tauri CI
…error Two additive notes: 1. "Parent CLAUDE.md scope": /Users/d/Projects/CLAUDE.md is TypeScript/Node backend rules. It only partially applies here — React 19 frontend can follow its TS conventions, but the Rust Tauri backend and Python sidecar must not inherit Zod/BullMQ/JWT/Prisma guidance. Stack wins on conflict. 2. "Manual overrides to the managed block below": flags that the auto-generated portfolio-context block incorrectly claims "Use npm only; this repo does not use pnpm." Evidence: pnpm-lock.yaml exists (added in fd601bd v1.0), CI uses pnpm install --frozen-lockfile (.github/workflows/test.yml), and the last two commits (536c7ef, f5b8fa8) are pnpm v11 CI fixes. package-lock.json is an orphan from the initial template scaffold. Long-term fix is in the portfolio-context generator; this commit is a short-term agent-facing override. Managed portfolio-context block content itself is untouched — it regenerates.
Backend rules are now path-gated via ~/.claude/rules/backend-node-baseline.md (paths frontmatter matches .ts/.tsx/.js/.mjs/.cjs/package.json only) — Rust backend and Python sidecar no longer load them. The /Users/d/Projects/CLAUDE.md parent file has been deleted. Frontend rule still applies to the React 19 SPA via path match, as intended. npm/pnpm override note retained — still useful until the portfolio-context generator is patched to read CI workflow as ground truth.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e68fc00b91
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| @@ -0,0 +1 @@ | |||
| /Users/d/.claude/portable-skills/api-design No newline at end of file | |||
There was a problem hiding this comment.
These new skill entries are symlinks to /Users/d/..., so any checkout that is not on that developer's machine gets broken .claude/skills/* paths; in this Linux checkout cat .claude/skills/api-design already fails because the target does not exist. If the repo is meant to provide these Claude skills, commit real relative files/directories or omit machine-local links so the tooling works for other contributors and CI.
Useful? React with 👍 / 👎.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: pnpm/action-setup@v4 |
There was a problem hiding this comment.
The new frontend CI job is wired to pnpm even though this repo's instructions say it uses npm only and the canonical verifier is npm ci / npm run check:all. On GitHub this PR signal can pass without exercising the maintained npm/package-lock path or the lint/format/ast-grep checks bundled in check:all, so npm-only breakage can be missed; please switch the workflow to the npm verifier.
Useful? React with 👍 / 👎.
Owner
Author
This was referenced May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Substantive rewrite of project CLAUDE.md. Additive to global ~/.claude/CLAUDE.md @imports.
Net -61 lines (+175/-236):
pnpm-lock.yamlis canonical;package-lock.jsonis an orphan from the original template scaffold)Caveat: Tauri CI lane was previously documented 'pre-existingly red' but is now green after 536c7ef/f5b8fa8 (pnpm v11→v10). Local-only gotcha:
tauri:buildneeds a pre-compiled PyInstaller sidecar atsrc-tauri/binaries/(gitignored).Authored by Sonnet 4.6 under Opus 4.7 coordination (Tier 2 pattern).