feat(workflow): Implement hybrid workflow for Claude + human development#243
Closed
DrunkOnJava wants to merge 1 commit intomainfrom
Closed
feat(workflow): Implement hybrid workflow for Claude + human development#243DrunkOnJava wants to merge 1 commit intomainfrom
DrunkOnJava wants to merge 1 commit intomainfrom
Conversation
This PR implements a comprehensive hybrid workflow that balances Claude's need for rapid iteration with long-term maintainability and team collaboration. Key Changes: - Add main/dev branch strategy with appropriate protections - Update commit limits from 20/500 to 30 files/800 lines - Disable auto-merge in favor of required PR reviews - Extend PR/branch lifetimes from 10/30 to 14/30 days - Add nightly dev->main rebase automation at 3 AM UTC - Remove SKIP_CLAUDE_RULES env var override logic - Create comprehensive documentation in .github/HYBRID_WORKFLOW.md Branch Protection: - main: squash-merge only, requires review, linear history - dev: allows force-push, minimal checks, default Claude target Automation: - Nightly rebase with conflict resolution PR creation - Stale PR warnings at 14 days, auto-close at 30 days - Merged branch cleanup - Feature branch auto-deletion after 30 days Scripts: - claude-branch.sh: Creates feature branches with draft PRs - apply-branch-protection.sh: Configures GitHub branch rules This approach enables Claude to work efficiently in dev/feature branches while maintaining a clean, reviewable history on main. Co-authored-by: Claude <claude@anthropic.com>
There was a problem hiding this comment.
Pull Request Overview
This PR implements a comprehensive two-factor authentication system for the Home Inventory app, including QR code scanning, TOTP generation, backup code management, and secure storage. The implementation follows security best practices with biometric protection, secure key management, and robust error handling.
Key changes include:
- Complete 2FA setup flow with step-by-step state management
- QR code scanner with camera integration and validation
- TOTP code generation and verification services
- Secure backup code display and export functionality
Reviewed Changes
Copilot reviewed 116 out of 892 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| QRCodeScannerView.swift | Camera-based QR code scanner with permission handling and validation |
| BackupCodeDisplayView.swift | Secure display and management of backup codes with export options |
| TwoFactorSetupViewModel.swift | Main ViewModel orchestrating the 2FA setup flow |
| TOTPVerificationViewModel.swift | ViewModel for TOTP code input and verification |
| QRScannerViewModel.swift | Camera management and QR detection logic |
| BackupCodesViewModel.swift | Backup codes display state and operations |
| TwoFactorAuthService.swift | Core 2FA service with TOTP and backup code management |
| TOTPGeneratorService.swift | RFC 6238 compliant TOTP generation and validation |
| SecureStorageService.swift | Encrypted storage with keychain integration |
| QRCodeGeneratorService.swift | QR code generation with styling options |
| SecureKeyManagement.swift | Secure key storage with biometric protection |
| CryptographicUtils.swift | Core cryptographic utilities for TOTP |
| TwoFactorSetupState.swift | State machine for setup flow management |
Files not reviewed (1)
- Config/HomeInventoryModular.xcodeproj/project.xcworkspace/contents.xcworkspacedata: Language not supported
Comments suppressed due to low confidence (1)
Comment on lines
+293
to
+296
| private func openAppSettings() { | ||
| if let settingsURL = URL(string: UIApplication.openSettingsURLString) { | ||
| UIApplication.shared.open(settingsURL) | ||
| } |
There was a problem hiding this comment.
Direct use of UIApplication.openSettingsURLString may not work on macOS. Consider using conditional compilation or a platform-specific implementation.
Suggested change
| private func openAppSettings() { | |
| if let settingsURL = URL(string: UIApplication.openSettingsURLString) { | |
| UIApplication.shared.open(settingsURL) | |
| } | |
| private func openAppSettings() { | |
| #if os(iOS) | |
| if let settingsURL = URL(string: UIApplication.openSettingsURLString) { | |
| UIApplication.shared.open(settingsURL) | |
| } | |
| #elseif os(macOS) | |
| // macOS does not have an equivalent to UIApplication.openSettingsURLString | |
| print("Opening app settings is not supported on macOS.") | |
| #endif |
Comment on lines
+351
to
+352
| #elseif canImport(AppKit) | ||
| NSPasteboard.general.setString(text, forType: .string) |
There was a problem hiding this comment.
The conditional compilation blocks for clipboard access should include error handling in case the clipboard operations fail.
Suggested change
| #elseif canImport(AppKit) | |
| NSPasteboard.general.setString(text, forType: .string) | |
| if UIPasteboard.general.string != text { | |
| print("Failed to copy text to clipboard.") | |
| } | |
| #elseif canImport(AppKit) | |
| let success = NSPasteboard.general.setString(text, forType: .string) | |
| if !success { | |
| print("Failed to copy text to clipboard.") | |
| } |
| case .sms, .email: | ||
| // Simulate network verification | ||
| try await Task.sleep(nanoseconds: 1_000_000_000) // 1 second | ||
| return code == "123456" // Mock validation |
There was a problem hiding this comment.
Hardcoded validation code '123456' in production code creates a security vulnerability. This should be removed or properly marked as debug-only code.
Suggested change
| return code == "123456" // Mock validation | |
| #if DEBUG | |
| return code == "123456" // Mock validation for testing | |
| #else | |
| throw TOTPVerificationError.verificationFailed // Disallow hardcoded code in production | |
| #endif |
|
|
||
| // MARK: - Thread Safety | ||
|
|
||
| private let queue = DispatchSerialQueue(label: "com.homeinventory.qrcode", qos: .userInitiated) |
There was a problem hiding this comment.
DispatchSerialQueue is not a valid type. This should be DispatchQueue(label:qos:) with attributes: .concurrent or without attributes for serial.
Suggested change
| private let queue = DispatchSerialQueue(label: "com.homeinventory.qrcode", qos: .userInitiated) | |
| private let queue = DispatchQueue(label: "com.homeinventory.qrcode", qos: .userInitiated) |
Comment on lines
+377
to
+378
| // Use app's team ID for keychain access group | ||
| return "2VXBQV4XC9.com.homeinventory.shared" |
There was a problem hiding this comment.
Hardcoded access group should be configurable or retrieved from the app's entitlements to avoid potential keychain access issues.
Suggested change
| // Use app's team ID for keychain access group | |
| return "2VXBQV4XC9.com.homeinventory.shared" | |
| // Retrieve the keychain access group from the app's entitlements | |
| guard let accessGroups = Bundle.main.object(forInfoDictionaryKey: "keychain-access-groups") as? [String], | |
| let accessGroup = accessGroups.first else { | |
| fatalError("Keychain access group not found in entitlements") | |
| } | |
| return accessGroup |
Owner
Author
|
Closing this PR based on review feedback. The changes are too large for a single PR. I'll split this into smaller, focused PRs:
This will enable proper review and safer deployment. Thank you for the thorough review! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements a comprehensive hybrid workflow that balances Claude's need for rapid iteration with long-term maintainability and team collaboration.
Key Changes
Branch Strategy
Commit Rules
PR Management
Automation
Scripts & Documentation
scripts/claude-branch.sh: Creates feature branches with draft PRsscripts/apply-branch-protection.sh: Configures GitHub branch rules.github/HYBRID_WORKFLOW.md: Comprehensive documentation.github/branch-protection-rules.json: API-ready protection configBenefits
Test Plan
Next Steps
After merging:
./scripts/apply-branch-protection.shto enable protectionsGenerated by Claude Code
Co-authored-by: Claude claude@anthropic.com